CVE-2024-33960 - Vulnerability Details - OpenCVE

SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in it through the following 'end' in '/admin/mod_reports/printreport.php' parameter.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Janobe	Credit Card Debit Card Payment Janobe Credit Card Janobe Debit Card Payment Janobe Paypal Paypal

Configuration 1 [-]

OR	cpe:2.3:a:janobe:credit_card:1.0:::::::*
	cpe:2.3:a:janobe:debit_card_payment:1.0:::::::*
	cpe:2.3:a:janobe:paypal:1.0:::::::*

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janobe-products

History

Thu, 15 Aug 2024 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Janobe credit Card Janobe debit Card Payment Janobe paypal
CPEs		cpe:2.3:a:janobe:credit_card:1.0:::::::* cpe:2.3:a:janobe:debit_card_payment:1.0:::::::* cpe:2.3:a:janobe:paypal:1.0:::::::*
Vendors & Products		Janobe credit Card Janobe debit Card Payment Janobe paypal

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2024-08-06T11:17:25.814Z

Updated: 2024-08-06T13:48:39.835Z

Reserved: 2024-04-29T12:38:37.772Z

Link: CVE-2024-33960

Vulnrichment

Updated: 2024-08-06T13:48:21.963Z

NVD

Status : Analyzed

Published: 2024-08-06T12:15:49.130

Modified: 2024-08-15T14:08:32.490

Link: CVE-2024-33960

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-33960", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2024-04-29T12:38:37.772Z", "datePublished": "2024-08-06T11:17:25.814Z", "dateUpdated": "2024-08-06T13:48:39.835Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Janobe PayPal", "vendor": "Janobe", "versions": [{"status": "affected", "version": "1.0"}]}, {"defaultStatus": "unaffected", "product": "Janobe Credit Card", "vendor": "Janobe", "versions": [{"status": "affected", "version": "1.0"}]}, {"defaultStatus": "unaffected", "product": "Janobe Debit Card Payment", "vendor": "Janobe", "versions": [{"status": "affected", "version": "1.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rafael Pedrero"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in it through the following 'end' in '/admin/mod_reports/printreport.php' parameter."}], "value": "SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in it through the following\u00a0'end' in '/admin/mod_reports/printreport.php' parameter."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-08-06T11:36:56.894Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janobe-products"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "There is no reported solution at this time."}], "value": "There is no reported solution at this time."}], "source": {"discovery": "EXTERNAL"}, "title": "SQL injection in Janobe products", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "janobe", "product": "janobe_paypal", "cpes": ["cpe:2.3:a:janobe:janobe_paypal:1.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "1.0", "status": "affected"}]}, {"vendor": "janobe", "product": "janobe_credit_card", "cpes": ["cpe:2.3:a:janobe:janobe_credit_card:1.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "1.0", "status": "affected"}]}, {"vendor": "janobe", "product": "janobe_debit_card_payment", "cpes": ["cpe:2.3:a:janobe:janobe_debit_card_payment:1.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "1.0", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-06T13:42:10.523305Z", "id": "CVE-2024-33960", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-06T13:48:39.835Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-33960", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-06T13:42:10.523305Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:janobe:janobe_paypal:1.0:*:*:*:*:*:*:*"], "vendor": "janobe", "product": "janobe_paypal", "versions": [{"status": "affected", "version": "1.0"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:janobe:janobe_credit_card:1.0:*:*:*:*:*:*:*"], "vendor": "janobe", "product": "janobe_credit_card", "versions": [{"status": "affected", "version": "1.0"}], "defaultStatus": "unaffected"}, {"cpes": ["cpe:2.3:a:janobe:janobe_debit_card_payment:1.0:*:*:*:*:*:*:*"], "vendor": "janobe", "product": "janobe_debit_card_payment", "versions": [{"status": "affected", "version": "1.0"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-06T13:48:21.963Z"}}], "cna": {"title": "SQL injection in Janobe products", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Rafael Pedrero"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Janobe", "product": "Janobe PayPal", "versions": [{"status": "affected", "version": "1.0"}], "defaultStatus": "unaffected"}, {"vendor": "Janobe", "product": "Janobe Credit Card", "versions": [{"status": "affected", "version": "1.0"}], "defaultStatus": "unaffected"}, {"vendor": "Janobe", "product": "Janobe Debit Card Payment", "versions": [{"status": "affected", "version": "1.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "There is no reported solution at this time.", "supportingMedia": [{"type": "text/html", "value": "There is no reported solution at this time.", "base64": false}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janobe-products"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in it through the following\u00a0'end' in '/admin/mod_reports/printreport.php' parameter.", "supportingMedia": [{"type": "text/html", "value": "SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in it through the following 'end' in '/admin/mod_reports/printreport.php' parameter.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2024-08-06T11:36:56.894Z"}}}, "cveMetadata": {"cveId": "CVE-2024-33960", "state": "PUBLISHED", "dateUpdated": "2024-08-06T13:48:39.835Z", "dateReserved": "2024-04-29T12:38:37.772Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2024-08-06T11:17:25.814Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:janobe:credit_card:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "10CC4BF0-06E7-433F-9902-A807B816240D", "vulnerable": true}, {"criteria": "cpe:2.3:a:janobe:debit_card_payment:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "EAEEFF8B-8B26-4A87-8337-845D03FBEBCF", "vulnerable": true}, {"criteria": "cpe:2.3:a:janobe:paypal:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "1DF7E11E-26AF-4E84-AD88-110350D9D25C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in it through the following\u00a0'end' in '/admin/mod_reports/printreport.php' parameter."}, {"lang": "es", "value": "Vulnerabilidad de inyecci\u00f3n SQL en PayPal, Credit Card and Debit Card Payment que afecta a la versi\u00f3n 1.0. Un atacante podr\u00eda explotar esta vulnerabilidad enviando una consulta especialmente manipulada al servidor y recuperando toda la informaci\u00f3n almacenada en \u00e9l a trav\u00e9s del siguiente par\u00e1metro 'end' en '/admin/mod_reports/printreport.php'."}], "id": "CVE-2024-33960", "lastModified": "2024-08-15T14:08:32.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2024-08-06T12:15:49.130", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-janobe-products"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}