CVE-2024-3690

MEDIUM

PHPGurukul Small CRM 3.0 - SQL Injection in Change Password Handler

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-3690. PoCs published by taeseongk.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-3690, demonstrating an SQL injection vulnerability in PHPGurukul Small CRM 3.0. The exploit chain includes account registration, login, SQL injection to write a webshell, and command execution to read a flag file.

Description

A vulnerability classified as critical was found in PHPGurukul Small CRM 3.0. Affected by this vulnerability is an unknown functionality of the component Change Password Handler. The manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-260479.

Exploits (1)

nomisec WORKING POC

by taeseongk · poc

https://github.com/taeseongk/CVE-2024-3690

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-3690, demonstrating an SQL injection vulnerability in PHPGurukul Small CRM 3.0. The exploit chain includes account registration, login, SQL injection to write a webshell, and command execution to read a flag file.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: PHPGurukul Small CRM 3.0

Auth required

Prerequisites: Network access to the target CRM application · MySQL FILE privilege for the CRM database user

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Permissions Required, VDB Entry vdb-entry

https://vuldb.com/?id.260479

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.260479

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.312974

Exploit exploit

https://github.com/psudo-bugboy/CVE-2024

View Exploit ZIP pw:eip

Scores

CVSS v3 6.3

EPSS 0.0128

EPSS Percentile 66.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

phpgurukul/small_crm 3.0

Published Apr 12, 2024

Tracked Since Feb 18, 2026