CVE-2024-25469

Vulnerability

A SQL injection vulnerability exists in CRMEB crmeb_java version 1.3.4 and earlier. The flaw is located in the /api/front/store/list endpoint, specifically in the getNearList function. The latitude and longitude parameters are concatenated directly into SQL queries using ${} formatting without proper sanitization or parameterization [1][2]. This allows an attacker to inject arbitrary SQL commands.

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending a crafted HTTP request to the /api/front/store/list endpoint with malicious SQL payloads embedded in the latitude and longitude parameters. The injected SQL is executed against the backend database, enabling the attacker to manipulate the query [2].

Impact

Successful exploitation leads to SQL injection, which can result in unauthorized disclosure of sensitive information from the database, such as user credentials or personal data. Additionally, depending on the database configuration, the attacker may gain the ability to modify or delete data, and potentially achieve remote code execution [2].

Mitigation

No official patch or fixed version has been disclosed in the available references [1][2]. As a workaround, developers should apply input validation and use parameterized queries or prepared statements to prevent SQL injection. The project is open source, so users are advised to monitor the repository for updates.