CVE-2024-0884: SourceCodester Online Tours & Travels Management System payment.php exec sql injection

4.7 CVSS

Description

A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0. It has been rated as critical. This issue affects the function exec of the file payment.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252035. Eine Schwachstelle wurde in SourceCodester Online Tours & Travels Management System 1.0 ausgemacht. Sie wurde als kritisch eingestuft. Davon betroffen ist die Funktion exec der Datei payment.php. Durch die Manipulation des Arguments id mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

Classification

CVE ID: CVE-2024-0884

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.7

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Problem Types

CWE-89 SQL Injection

Affected Products

Vendor: SourceCodester

Product: Online Tours & Travels Management System

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.11% (probability of being exploited)

EPSS Percentile: 29.78% (scored less or equal to compared to others)

EPSS Date: 2025-06-07 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-0884
https://vuldb.com/?id.252035
https://vuldb.com/?ctiid.252035
https://blog.csdn.net/Q_M_0_9/article/details/135846415

Timeline

2025-06-03 19:40:22 UTC
CVE

SourceCodester Online Tours & Travels Management System payment.php exec sql injection