CVE-2024-6681

State: PUBLISHED · Published: 2024-07-11 · Updated: 2024-08-01 · Assigner: VulDB

Description

A vulnerability, which was classified as critical, has been found in witmy my-springsecurity-plus up to 2024-07-04. Affected by this issue is some unknown functionality of the file /api/dept. The manipulation of the argument params.dataScope leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-271154 is the identifier assigned to this vulnerability.

CWE

CWE-89 — CWE-89 SQL Injection

Affected

witmy / my-springsecurity-plus — v=2024-07-04 [affected]

CVSS

4.0 score=5.3 severity=MEDIUM CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
3.1 score=6.3 severity=MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
3.0 score=6.3 severity=MEDIUM CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
2.0 score=6.5 severity= AV:N/AC:L/Au:S/C:P/I:P/A:P

References

https://vuldb.com/?id.271154 vdb-entry, technical-description
https://vuldb.com/?ctiid.271154 signature, permissions-required
https://gitee.com/witmy/my-springsecurity-plus/issues/IAAGZY exploit, issue-tracking

Source

cvelistV5-main/cves/2024/6xxx/CVE-2024-6681.json