CRITICAL🇵🇱 Wersja polska

CVE-2024-57430

CVSS 9.8v3.1pub. 2025-02-06upd. 2025-06-24

An SQL injection vulnerability in the pjActionGetUser function of PHPJabbers Cinema Booking System v2.0 allows attackers to manipulate database queries via the column parameter. Exploiting this flaw can lead to unauthorized information disclosure, privilege escalation, or database manipulation.

🤖 AI Analysis
How it works

The vulnerability exists in the pjActionGetUser function, where the column parameter is directly inserted into the SQL query without proper validation or parameterized query execution (CWE-89). An attacker can submit a crafted HTTP request containing a malicious SQL payload as the column parameter value. This allows modification of the logic of queries executed by the application against the database, leading to unauthorized reading, writing, or modification of data.

Impact

An attacker can gain unauthorized access to sensitive data stored in the database (information disclosure), perform privilege escalation through user data manipulation, and directly modify or delete database contents.

Mitigation & patch

Apply patches available from the vendor according to references. Until the fix is implemented, it is recommended to restrict application access exclusively to trusted networks and implement Web Application Firewall rules blocking SQL injection attempts.

Who is affected

PHPJabbers Cinema Booking System v2.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Phpjabbers Cinema Booking System

    APP
    Phpjabbers
    2.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLiLPE
CWE
References

Related vulnerabilities

CVE-2024-57428CRITICAL9.3PL ✓ten sam produkt

Stored XSS w PHPJabbers Cinema Booking System v2.0

CVE-2023-51333HIGH8.8ten sam produkt

PHPJabbers Cinema Booking System v1.0 is vulnerable to CSV Injection vulnerability which allows an attacker to...

CVE-2023-51330MEDIUM5.4ten sam produkt

PHPJabbers Cinema Booking System v1.0 is vulnerable to Reflected Cross-Site Scripting (XSS) in Now Showing men...

CVE-2023-51335MEDIUM6.5ten sam produkt

PHPJabbers Cinema Booking System v1.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) in the "titl...

CVE-2023-51334MEDIUM5.3ten sam produkt

A lack of rate limiting in the 'Forgot Password' feature of PHPJabbers Cinema Booking System v1.0 allows attac...