关键信息 1. 漏洞名称: - Project Worlds Life Insurance Management System 1.0 /editPayment.php RECEIPT_NO SQL INJECTION 2. 漏洞编号: - VDB-282903 - CVE-2024-10734 3. CVSS Meta Temp Score: - 6.0 4. 当前漏洞价格: - $0-$5k 5. CTI Interest Score: - 2.98 6. 漏洞描述: - A vulnerability was found in Project Worlds Life Insurance Management System 1.0. It has been classified as critical. This affects an unknown code block of the file /editPayment.php. The manipulation of the argument receipt_no with an unknown input leads to a sql injection vulnerability. 7. 影响: - The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability. 8. CVE描述: - A vulnerability was found in Project Worlds Life Insurance Management System 1.0. It has been classified as critical. This affects an unknown part of the file /editPayment.php. The manipulation of the argument receipt_no leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. 9. 漏洞利用: - It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2024-10734. The exploitability is told to be easy. It is possible to initiate the attack remotely. Technical details and a public exploit are known. The attack technique deployed by this issue is T1505 according to MITRE ATT&CK. 10. 漏洞利用工具: - The exploit is shared for download at github.com. It is declared as proof-of-concept. By approaching the search of inurl:editPayment.php it is possible to find vulnerable targets with Google Hacking. 11. 建议措施: - There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product. 12. 相关链接: - See VDB-199685 and VDB-275924 for similar entries.