CVE-2024-28714
Description
SQL injection in CRMEB_Java v1.3.4 via groupid parameter allows arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in CRMEB_Java v1.3.4 via groupid parameter allows arbitrary code execution.
Vulnerability
SQL injection vulnerability in CRMEB_Java e-commerce system version 1.3.4. The vulnerability exists in the groupid parameter, allowing an attacker to inject arbitrary SQL commands. Affected version: v1.3.4.
Exploitation
An attacker can send a crafted HTTP request with malicious SQL in the groupid parameter to the vulnerable endpoint. No authentication is required, as the parameter is directly used in a SQL query without proper sanitization.
Impact
Successful exploitation leads to arbitrary code execution. This could result in full compromise of the application and underlying server, including data theft, modification, or denial of service.
Mitigation
No fix has been released in the available references [1]. Users should monitor the official repository for updates and apply patches as soon as they become available. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- CRMEB_Java/e-commerce systemdescription
- Range: = 1.3.4
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.