CVE-2024-33292

Overview

CVE-2024-33292 describes a blind SQL injection vulnerability in Conception & Réalisation MGSD version 1.0. The flaw resides in the id parameter of the under_products_marechal.php endpoint. An unauthenticated remote attacker can inject arbitrary SQL commands through this parameter, as demonstrated in the provided exploit proof-of-concept [1].

Exploitation

The attack requires no authentication and can be performed over HTTP. The vulnerable endpoint does not properly sanitize or parameterize the id input, allowing an attacker to craft malicious SQL queries. The exploit example shows a simple GET request to /under_products_marechal.php?id= with the injection payload appended, indicating a classic boolean-based blind SQL injection technique [1].

Impact

Successful exploitation enables an attacker to retrieve sensitive information from the underlying database, such as user credentials, personal data, or other confidential records. Given the blind nature of the injection, an attacker can systematically extract data character by character using conditional responses [1]. This can lead to full database compromise and subsequent lateral movement within the application's ecosystem.

Mitigation

The vendor, Realisation, has not released a patched version as of the publication date. Users of MGSD v1.0 should immediately apply input validation and use prepared statements for database queries. Additionally, restricting network access to the vulnerable endpoint and monitoring for anomalous SQL traffic can reduce risk [1].