What is the CVSS score of CVE-2024-46382?

CVE-2024-46382 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.1%.

Which versions of litemall are affected by CVE-2024-46382?

A SQL injection vulnerability in linlinjava litemall 1.8.0 allows remote attackers to extract sensitive customer and order data from the backend database without authentication.

Is there a public PoC exploit available for CVE-2024-46382?

Yes, a public proof-of-concept exploit is available for CVE-2024-46382. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2024-46382?

Within 24 hours: Inventory all systems running litemall 1.8.0 and review database access logs for exploitation attempts (unusual SQL queries, bulk data retrieval from orders or customer tables). Within 7 days: Deploy Web Application Firewall (WAF) rules blocking SQL injection payloads in goodsId, goodsSn, and name parameters; restrict access to AdminOrderController endpoints to authorized networks only. Within 30 days: Obtain patch timeline from vendor; begin upgrade planning to patched release or migration to alternative platform if no remediation is committed.

litemall CVE-2024-46382

HIGH

SQL Injection (CWE-89)

2024-09-19 cve@mitre.org

SQLi Litemall

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

DescriptionCVE.org

A SQL injection vulnerability in linlinjava litemall 1.8.0 allows a remote attacker to obtain sensitive information via the goodsId, goodsSn, and name parameters in AdminOrderController.java.

AnalysisAI

SQL injection in linlinjava litemall 1.8.0 allows unauthenticated remote attackers to extract sensitive data from the backend database by injecting malicious payloads into the goodsId, goodsSn, and name parameters handled by AdminOrderController.java. Publicly available exploit code exists, though EPSS rates exploitation probability low at 0.12% (30th percentile) and the issue is not listed in CISA KEV.

Technical ContextAI

litemall is an open-source Java-based e-commerce mall platform built by linlinjava that provides a small mall application stack (Spring Boot backend, admin console, WeChat mini-program, and Vue.js frontend). The vulnerability falls under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled inputs are concatenated into SQL queries without parameterization or sufficient sanitization. The CPE cpe:2.3:a:linlinjava:litemall:1.8.0 confirms the affected component is the application itself at version 1.8.0, and the flaw resides specifically in the AdminOrderController class responsible for order management queries that accept the goodsId, goodsSn, and name request parameters.

RemediationAI

No vendor-released patch identified at time of analysis from the provided data; users should monitor the upstream linlinjava/litemall GitHub repository for a fixed release beyond 1.8.0 and apply it once available. As compensating controls, restrict network access to the /admin API surface (where AdminOrderController is exposed) to trusted management IPs via firewall or reverse-proxy ACLs, place the admin console behind a VPN or authenticated gateway, and enforce strong authentication on admin routes so the endpoint cannot be reached anonymously even if the application defaults allow it. As a code-level workaround for operators maintaining their own build, replace the dynamic SQL or MyBatis ${} expressions for goodsId, goodsSn, and name in AdminOrderController with parameterized #{} bindings and add allow-list input validation; the trade-off is the need to rebuild and redeploy from source, but this directly eliminates the injection path.

CVE-2024-46382 vulnerability details – vuln.today

Back

litemall CVE-2024-46382

Severity by source

CVSS VectorNVD

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code