免费扫描
CRITICALCVE-2024-33963CVSS 9.8

SQL injection in Janobe products

翻译中…

平台

php

组件

janobe-paypal

修复版本

1.0.1

1.0.1

1.0.1

AI Confidence: highNVDEPSS 0.2%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

A critical SQL injection vulnerability (CVE-2024-33963) has been identified in Janobe PayPal versions 1.0. This flaw allows attackers to potentially extract all data stored on the server by crafting malicious queries. The vulnerability resides within the 'id' parameter of the '/admin/mod_room/index.php' endpoint. A patch is available in version 1.0.1.

影响与攻击场景翻译中…

Successful exploitation of this SQL injection vulnerability grants an attacker unauthorized access to the entire database backing the Janobe PayPal application. This includes sensitive user data, financial information (credit card and debit card details), and potentially administrative credentials. The attacker could use this information for identity theft, financial fraud, or to gain further control over the affected system. The blast radius extends to all users of the vulnerable application, and the severity is heightened by the potential for complete data compromise. While no direct precedent is immediately apparent, SQL injection vulnerabilities are consistently among the most exploited web application flaws.

利用背景翻译中…

CVE-2024-33963 was publicly disclosed on August 6, 2024. The vulnerability is not currently listed on the CISA KEV catalog, and its EPSS score is pending evaluation. No public proof-of-concept exploits have been identified at the time of writing, but the high CVSS score indicates a significant risk. Active campaigns targeting this vulnerability are not currently confirmed.

哪些人处于风险中翻译中…

Organizations utilizing Janobe PayPal version 1.0, particularly those processing financial transactions or handling sensitive user data, are at significant risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a compromise of one user's application could potentially lead to the compromise of others.

检测步骤翻译中…

• php: Examine application logs for SQL errors or unusual query patterns targeting '/admin/mod_room/index.php'. • generic web: Use curl to test the '/admin/mod_room/index.php' endpoint with a simple SQL injection payload (e.g., ?id=1' OR '1'='1) and observe the response for signs of injection. • generic web: Review access logs for requests to '/admin/mod_room/index.php' with unusual or malformed 'id' parameters. • generic web: Check for directory listing exposure on the server to identify potential sensitive files.

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.18% (39% 百分位)

CISA SSVC

利用情况none
可自动化yes
技术影响total

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityHigh敏感数据泄露风险IntegrityHigh数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
高 — 完全丧失机密性,攻击者可读取所有数据。
Integrity
高 — 攻击者可写入、修改或删除任何数据。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件janobe-paypal
供应商Janobe
影响范围修复版本
1.0 – 1.01.0.1
1.0 – 1.01.0.1
1.0 – 1.01.0.1

弱点分类 (CWE)

CWE-89

时间线

  1. 已保留
  2. 发布日期
  3. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2024-33963 is to immediately upgrade Janobe PayPal to version 1.0.1, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out malicious SQL queries targeting the '/admin/modroom/index.php' endpoint, specifically focusing on the 'id' parameter. Input validation and parameterized queries should be implemented as a temporary workaround. Monitor application logs for suspicious SQL activity, particularly queries containing SQL keywords or unusual characters. After upgrading, confirm the fix by attempting a SQL injection attack on the '/admin/modroom/index.php' endpoint with a known malicious payload; the application should now properly sanitize the input and prevent the injection.

修复方法翻译中…

Actualizar el módulo Janobe PayPal a una versión parcheada que corrija la vulnerabilidad de inyección SQL. Si no hay una versión parcheada disponible, desactive o desinstale el módulo hasta que se publique una solución. Implemente medidas de seguridad adicionales, como la validación y el saneamiento de entradas, para mitigar el riesgo de inyección SQL.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2024-33963 — SQL Injection in Janobe PayPal?

CVE-2024-33963 is a critical SQL injection vulnerability affecting Janobe PayPal version 1.0, allowing attackers to potentially extract all data from the database through the '/admin/mod_room/index.php' endpoint.

Am I affected by CVE-2024-33963 in Janobe PayPal?

You are affected if you are using Janobe PayPal version 1.0. Upgrade to version 1.0.1 to mitigate the risk.

How do I fix CVE-2024-33963 in Janobe PayPal?

Upgrade Janobe PayPal to version 1.0.1. As a temporary workaround, implement a WAF rule or input validation to filter malicious queries.

Is CVE-2024-33963 being actively exploited?

Active exploitation is not currently confirmed, but the high CVSS score indicates a significant risk and potential for exploitation.

Where can I find the official Janobe PayPal advisory for CVE-2024-33963?

Refer to the Janobe PayPal official website or security advisories for the latest information and updates regarding CVE-2024-33963.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE