CVE-2024-37765

HIGH

Machform < 19 - Authenticated Blind SQL Injection in User Account Settings Page

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-37765. PoCs published by Atreb92.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-37765, demonstrating a blind SQL injection vulnerability in MachForm up to version 19. The exploit uses time-based techniques to extract database information, such as the current user, by leveraging the vulnerable `user_admin_theme` parameter in the `my_account.php` endpoint.

Description

Machform up to version 19 is affected by an authenticated Blind SQL injection in the user account settings page.

Exploits (1)

nomisec WORKING POC 1 stars

by Atreb92 · poc

https://github.com/Atreb92/cve-2024-37765

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2024-37765, demonstrating a blind SQL injection vulnerability in MachForm up to version 19. The exploit uses time-based techniques to extract database information, such as the current user, by leveraging the vulnerable `user_admin_theme` parameter in the `my_account.php` endpoint.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: MachForm up to v19

Auth required

Prerequisites: Valid user session (PHPSESSID cookie) · Authenticated access to the target application

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://github.com/Atreb92/cve-2024-37765

Scores

CVSS v3 8.8

EPSS 0.0083

EPSS Percentile 52.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-89

Status published

Products (1)

machform/machform < 19

Published Jul 01, 2024

Tracked Since Feb 18, 2026