CVE-2024-2997

LOW

Bdtask Multi-Store Inventory Management System <20240320 - XSS

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2024-2997. PoCs published by lfillaz, NullEssa, lfilharv.

AI-analyzed exploit summary The repository contains a Python script designed to scan for CVE-2024-2997, a command injection vulnerability. It sends multiple payloads to detect indicators of successful exploitation but does not include functional exploit code to achieve RCE.

Description

A vulnerability was found in Bdtask Multi-Store Inventory Management System up to 20240320. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument Category Name/Model Name/Brand Name/Unit Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-258199. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (5)

nomisec SCANNER 11 stars
by lfillaz · poc
https://github.com/lfillaz/CVE-2024-2997

The repository contains a Python script designed to scan for CVE-2024-2997, a command injection vulnerability. It sends multiple payloads to detect indicators of successful exploitation but does not include functional exploit code to achieve RCE.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Unknown (likely a web application with a specific endpoint)
No auth needed
Prerequisites: Network access to the target · Vulnerable endpoint exposed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SCANNER 1 stars
by NullEssa · poc
https://github.com/NullEssa/CVE-2024-2997

The repository contains a Python script designed to scan for CVE-2024-2997 by sending crafted HTTP requests with payloads targeting command injection vulnerabilities. It checks responses for indicators of successful exploitation but does not include functionality to execute arbitrary commands or achieve remote code execution.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Unknown (likely a web application with a specific endpoint vulnerable to command injection)
No auth needed
Prerequisites: Network access to the target · Target endpoint must be exposed and vulnerable
devstral-2 · analyzed Mar 05, 2026 Full analysis →
nomisec WORKING POC 1 stars
by lfilharv · poc
https://github.com/lfilharv/CVE-2024-2997

This repository contains a functional exploit PoC for CVE-2024-2997, targeting a command injection vulnerability in the `/cmd,/simZysh/register_main/setCookie` endpoint. The script sends crafted payloads to execute commands like `id` and `whoami`, and checks for indicators of successful exploitation in the response.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Unknown (likely a web application with vulnerable endpoint)
No auth needed
Prerequisites: Network access to the target endpoint
devstral-2 · analyzed Mar 03, 2026 Full analysis →
nomisec SCANNER
by 0xUho · poc
https://github.com/0xUho/CVE-2024-2997

The repository contains a Python script designed to scan for CVE-2024-2997 by sending crafted HTTP requests to target URLs and checking for indicators of command injection vulnerability. It includes multiple payloads and response analysis but does not demonstrate actual exploitation.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Unknown (likely a web application with a specific endpoint vulnerable to command injection)
No auth needed
Prerequisites: target URL · network access to the target
devstral-2 · analyzed Mar 05, 2026 Full analysis →
nomisec SCANNER
by o9-9 · poc
https://github.com/o9-9/CVE-2024-2997

The repository contains a Python script designed to scan for CVE-2024-2997 by sending crafted HTTP requests with payloads targeting command injection vulnerabilities. It checks responses for indicators of successful exploitation but does not include functional exploit code for achieving RCE.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: Unknown (likely a web application with a specific endpoint vulnerable to command injection)
No auth needed
Prerequisites: Network access to the target · Target endpoint must be exposed and vulnerable
devstral-2 · analyzed Apr 21, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry technical-description
https://vuldb.com/?id.258199
Permissions Required, VDB Entry signature permissions-required
https://vuldb.com/?ctiid.258199
Third Party Advisory, VDB Entry third-party-advisory
https://vuldb.com/?submit.301380

Scores

CVSS v3 2.4
EPSS 0.0121
EPSS Percentile 64.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
bdtask/multi_store_inventory_management_system < 20240320
Published Mar 27, 2024
Tracked Since Feb 18, 2026