CRITICAL🇵🇱 Wersja polska

CVE-2024-55509

CVSS 9.8v3.1pub. 2024-12-20upd. 2025-04-03

SQL injection vulnerability in CodeAstro Complaint Management System v.1.0 allows a remote attacker to execute arbitrary code and escalate privileges via the id parameter of the delete.php component.

🤖 AI Analysis
How it works

The vulnerability exists in the 'id' parameter of the delete.php component, which is not properly sanitized before use in an SQL query. An attacker can inject malicious SQL code into this parameter, leading to execution of unintended database operations. Through a properly crafted query, arbitrary code execution (RCE) and privilege escalation in the system are possible.

Impact

An attacker can gain full access to the database, execute arbitrary code on the server, and escalate their privileges — potentially taking complete control of the system (high confidentiality, integrity, and availability impact).

Mitigation & patch

Apply patches available from the vendor according to the references. Until an update is applied, it is recommended to restrict access to the delete.php component, for example through a Web Application Firewall (WAF) or access control at the web server level.

Who is affected

Codeastro Complaint Management System v.1.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Codeastro Complaint Management System

    APP
    Codeastro
    1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCESQLiLPE
CWE
References

Related vulnerabilities

CVE-2024-55507CRITICAL9.8PL ✓ten sam produkt

Eskalacja uprawnień w Codeastro Complaint Management System v.1.0

CVE-2024-56889HIGH7.5ten sam produkt

Incorrect access control in the endpoint /admin/m_delete.php of CodeAstro Complaint Management System v1.0 all...

CVE-2024-55505HIGH8.8ten sam produkt

An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via th...

CVE-2024-55506HIGH8.8ten sam produkt

An IDOR vulnerability in CodeAstro's Complaint Management System v1.0 (version with 0 updates) enables an atta...

CVE-2025-70149CRITICAL9.8PL ✓ten sam vendor

SQL Injection w Codeastro Membership Management System via parametr ID