Vulnerability Description
A SQL injection vulnerability exists in the St. Joe ERP system ("圣乔ERP系统") that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login endpoint. The application fails to properly sanitize user-supplied input before incorporating it into SQL queries, enabling direct manipulation of the backend database. Successful exploitation may result in unauthorized data access, modification of records, or limited disruption of service. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-04-14 UTC.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| St. Joe Erp System Project | St. Joe Erp System | - |
Related Weaknesses (CWE)
References
- https://blog.csdn.net/qq_41904294/article/details/144240396Exploit
- https://en.fofa.info/result?qbase64=5Zyj5LmURVJQ57O757ufProduct
- https://github.com/adysec/POC/blob/main/wpoc/%E5%9C%A3%E4%B9%94ERP/%E5%9C%A3%E4%Exploit
- https://www.vulncheck.com/advisories/st-joes-erp-system-sqliThird Party Advisory
- https://blog.csdn.net/qq_41904294/article/details/144240396Exploit
- https://github.com/adysec/POC/blob/main/wpoc/%E5%9C%A3%E4%B9%94ERP/%E5%9C%A3%E4%Exploit
- https://www.vulncheck.com/advisories/st-joes-erp-system-sqliThird Party Advisory
FAQ
What is CVE-2024-13979?
CVE-2024-13979 is a vulnerability with a CVSS score of 9.8 (CRITICAL). A SQL injection vulnerability exists in the St. Joe ERP system ("圣乔ERP系统") that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login en...
How severe is CVE-2024-13979?
CVE-2024-13979 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-13979?
Check the references section above for vendor advisories and patch information. Affected products include: St. Joe Erp System Project St. Joe Erp System.