CVE-2024-24572 - OpenCVE

facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, the $_REQUEST global array was unsafely called inside an extract() function in admin-logs.php. The PHP file fm-init.php prevents arbitrary manipulation of $_SESSION via the GET/POST parameters. However, it does not prevent manipulation of any other sensitive variables such as $search_sql. Knowing this, an authenticated user with privileges to view site logs can manipulate the search_sql variable by appending a GET parameter search_sql in the URL. The information above means that the checks and SQL injection prevention attempts were rendered unusable.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Facilemanager	Facilemanager

Configuration 1 [-]

cpe:2.3:a:facilemanager:facilemanager:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/WillyXJ/facileManager/commit/0aa850d4b518f10143a4c675142b15caa5872877
https://github.com/WillyXJ/facileManager/security/advisories/GHSA-xw34-8pj6-75gc

History

Thu, 17 Oct 2024 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-31T22:33:08.498Z

Updated: 2024-10-17T17:08:31.130Z

Reserved: 2024-01-25T15:09:40.211Z

Link: CVE-2024-24572

Vulnrichment

Updated: 2024-08-01T23:19:52.906Z

NVD

Status : Analyzed

Published: 2024-01-31T23:15:08.337

Modified: 2024-02-07T17:34:10.943

Link: CVE-2024-24572

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-24572", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-25T15:09:40.211Z", "datePublished": "2024-01-31T22:33:08.498Z", "dateUpdated": "2024-10-17T17:08:31.130Z"}, "containers": {"cna": {"title": "facileManager Authenticated Variable Manipulation leading to SQL Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/WillyXJ/facileManager/security/advisories/GHSA-xw34-8pj6-75gc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/WillyXJ/facileManager/security/advisories/GHSA-xw34-8pj6-75gc"}, {"name": "https://github.com/WillyXJ/facileManager/commit/0aa850d4b518f10143a4c675142b15caa5872877", "tags": ["x_refsource_MISC"], "url": "https://github.com/WillyXJ/facileManager/commit/0aa850d4b518f10143a4c675142b15caa5872877"}], "affected": [{"vendor": "WillyXJ", "product": "facileManager", "versions": [{"version": "<= 4.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-31T22:33:08.498Z"}, "descriptions": [{"lang": "en", "value": "facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, the $_REQUEST global array was unsafely called inside an extract() function in admin-logs.php. The PHP file fm-init.php prevents arbitrary manipulation of $_SESSION via the GET/POST parameters. However, it does not prevent manipulation of any other sensitive variables such as $search_sql. Knowing this, an authenticated user with privileges to view site logs can manipulate the search_sql\nvariable by appending a GET parameter search_sql in the URL. The information above means that the checks and SQL injection prevention attempts were rendered unusable."}], "source": {"advisory": "GHSA-xw34-8pj6-75gc", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:19:52.906Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/WillyXJ/facileManager/security/advisories/GHSA-xw34-8pj6-75gc", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/WillyXJ/facileManager/security/advisories/GHSA-xw34-8pj6-75gc"}, {"name": "https://github.com/WillyXJ/facileManager/commit/0aa850d4b518f10143a4c675142b15caa5872877", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/WillyXJ/facileManager/commit/0aa850d4b518f10143a4c675142b15caa5872877"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-01T16:18:45.690351Z", "id": "CVE-2024-24572", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-17T17:08:31.130Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/WillyXJ/facileManager/security/advisories/GHSA-xw34-8pj6-75gc", "name": "https://github.com/WillyXJ/facileManager/security/advisories/GHSA-xw34-8pj6-75gc", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/WillyXJ/facileManager/commit/0aa850d4b518f10143a4c675142b15caa5872877", "name": "https://github.com/WillyXJ/facileManager/commit/0aa850d4b518f10143a4c675142b15caa5872877", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:19:52.906Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-24572", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-02-01T16:18:45.690351Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-17T17:08:24.942Z"}}], "cna": {"title": "facileManager Authenticated Variable Manipulation leading to SQL Injection", "source": {"advisory": "GHSA-xw34-8pj6-75gc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "WillyXJ", "product": "facileManager", "versions": [{"status": "affected", "version": "<= 4.5.0"}]}], "references": [{"url": "https://github.com/WillyXJ/facileManager/security/advisories/GHSA-xw34-8pj6-75gc", "name": "https://github.com/WillyXJ/facileManager/security/advisories/GHSA-xw34-8pj6-75gc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/WillyXJ/facileManager/commit/0aa850d4b518f10143a4c675142b15caa5872877", "name": "https://github.com/WillyXJ/facileManager/commit/0aa850d4b518f10143a4c675142b15caa5872877", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, the $_REQUEST global array was unsafely called inside an extract() function in admin-logs.php. The PHP file fm-init.php prevents arbitrary manipulation of $_SESSION via the GET/POST parameters. However, it does not prevent manipulation of any other sensitive variables such as $search_sql. Knowing this, an authenticated user with privileges to view site logs can manipulate the search_sql\nvariable by appending a GET parameter search_sql in the URL. The information above means that the checks and SQL injection prevention attempts were rendered unusable."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-31T22:33:08.498Z"}}}, "cveMetadata": {"cveId": "CVE-2024-24572", "state": "PUBLISHED", "dateUpdated": "2024-10-17T17:08:31.130Z", "dateReserved": "2024-01-25T15:09:40.211Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-31T22:33:08.498Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:facilemanager:facilemanager:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0E110C6-3BD9-442C-9641-29531155410B", "versionEndExcluding": "4.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, the $_REQUEST global array was unsafely called inside an extract() function in admin-logs.php. The PHP file fm-init.php prevents arbitrary manipulation of $_SESSION via the GET/POST parameters. However, it does not prevent manipulation of any other sensitive variables such as $search_sql. Knowing this, an authenticated user with privileges to view site logs can manipulate the search_sql\nvariable by appending a GET parameter search_sql in the URL. The information above means that the checks and SQL injection prevention attempts were rendered unusable."}, {"lang": "es", "value": "facileManager es un conjunto modular de aplicaciones web creadas pensando en el administrador del sistema. En las versiones 4.5.0 y anteriores, la matriz global $_REQUEST se llamaba de forma insegura dentro de una funci\u00f3n extract() en admin-logs.php. El archivo PHP fm-init.php evita la manipulaci\u00f3n arbitraria de $_SESSION a trav\u00e9s de los par\u00e1metros GET/POST. Sin embargo, no impide la manipulaci\u00f3n de otras variables sensibles como $search_sql. Sabiendo esto, un usuario autenticado con privilegios para ver los registros del sitio puede manipular la variable search_sql agregando un par\u00e1metro GET search_sql en la URL. La informaci\u00f3n anterior significa que las comprobaciones y los intentos de prevenci\u00f3n de inyecci\u00f3n SQL quedaron inutilizables."}], "id": "CVE-2024-24572", "lastModified": "2024-02-07T17:34:10.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-31T23:15:08.337", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/WillyXJ/facileManager/commit/0aa850d4b518f10143a4c675142b15caa5872877"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/WillyXJ/facileManager/security/advisories/GHSA-xw34-8pj6-75gc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}