Skip to main content

Funadmin CVE-2023-24782

CRITICAL
SQL Injection (CWE-89)
2023-03-08 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 08, 2023 - 21:15 nvd
CRITICAL 9.8

DescriptionNVD

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/edit.

AnalysisAI

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/edit. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/edit. Affected products include: Funadmin.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2023-36097 CRITICAL POC
9.8 Jun 22

funadmin v3.3.2 and v3.3.3 are vulnerable to Insecure file upload via the plugins install. Rated critical severity (CVSS

CVE-2023-24774 CRITICAL POC
9.8 Mar 10

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \controller\au

CVE-2023-24777 CRITICAL POC
9.8 Mar 08

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/list. R

CVE-2023-24773 CRITICAL POC
9.8 Mar 08

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/list

CVE-2023-24780 CRITICAL POC
9.8 Mar 08

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/columns

CVE-2023-24775 CRITICAL POC
9.8 Mar 07

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\Member

CVE-2023-24781 CRITICAL POC
9.8 Mar 07

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the selectFields parameter at \member\Member

CVE-2023-24776 CRITICAL POC
9.8 Mar 06

Funadmin v3.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component \controller\Addo

CVE-2024-48230 HIGH POC
7.2 Oct 25

funadmin 5.0.2 is vulnerable to SQL Injection via the parentField parameter in the index method of \backend\controller\a

CVE-2024-48226 HIGH POC
7.2 Oct 25

Funadmin 5.0.2 is vulnerable to SQL Injection in curd/table/savefield. Rated high severity (CVSS 7.2), this vulnerabilit

CVE-2024-48223 HIGH POC
7.2 Oct 25

Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/fieldlist. Rated high severity (CVSS 7.2), this vulnera

CVE-2024-48222 HIGH POC
7.2 Oct 25

Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/edit. Rated high severity (CVSS 7.2), this vulnerabilit

Share

CVE-2023-24782 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy