CVE-2024-36837

HIGH NUCLEI

CRMEB 5.2.2 - SQL Injection via ProductController.php getProductList Function

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-36837. PoCs published by phtcloud-dev, lhc321-source. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a Python script that scans for SQL injection vulnerability in CRMEB Mall by checking for a specific string in the response. It does not exploit the vulnerability but detects it.

Description

SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.

Exploits (2)

nomisec SCANNER 4 stars

by phtcloud-dev · poc

https://github.com/phtcloud-dev/CVE-2024-36837

View Code ZIP pw:eip

The repository contains a Python script that scans for SQL injection vulnerability in CRMEB Mall by checking for a specific string in the response. It does not exploit the vulnerability but detects it.

Classification

Scanner 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: CRMEB Mall (CRMEB-KY v5.2.2 and higher)

No auth needed

Prerequisites: Target URL with vulnerable endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by lhc321-source · poc

https://github.com/lhc321-source/CVE-2024-36837

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-36837, a SQL injection vulnerability in CRMEB SRM2.0. The exploit leverages a crafted HTTP request to the `/api/products` endpoint to extract data via SQL injection, confirmed by checking for a specific MD5 hash in the response.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: CRMEB SRM2.0

No auth needed

Prerequisites: Target URL with vulnerable CRMEB SRM2.0 instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

CRMEB v.5.2.2 - SQL Injection

HIGHVERIFIEDby DhiyaneshDk

FOFA: title="CRMEB"

References (1)

Core 1

Core References

Third Party Advisory

https://github.com/phtcloud-dev/CVE-2024-36837

Scores

CVSS v3 7.5

EPSS 0.0831

EPSS Percentile 94.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

crmeb/crmeb 5.2.2

Published Jun 05, 2024

Tracked Since Feb 18, 2026