CVE-2024-4309

HIGH

HubBank 1.0.2 - SQL Injection via id Parameter in Transaction Endpoints

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-4309. PoCs published by Winslowe.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2024-4309, a vulnerability in Xiaomi HyperOS System Updater that allows OTA signature verification bypass. It includes a simulated attack script, a detection script, and comprehensive documentation explaining the root cause and attack flow.

Description

SQL injection vulnerability in HubBank affecting version 1.0.2. This vulnerability could allow an attacker to send a specially crafted SQL query to the database through different endpoints (/user/transaction.php?id=1, /user/credit-debit_transaction.php?id=1,/user/view_transaction. php?id=1 and /user/viewloantrans.php?id=1, id parameter) and retrieve the information stored in the database.

Exploits (1)

github WRITEUP
by Winslowe · htmlpoc
https://github.com/Winslowe/CVE-2024-4309-Analysis

This repository provides a detailed technical analysis of CVE-2024-4309, a vulnerability in Xiaomi HyperOS System Updater that allows OTA signature verification bypass. It includes a simulated attack script, a detection script, and comprehensive documentation explaining the root cause and attack flow.

Classification
Writeup 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: Xiaomi HyperOS System Updater
No auth needed
Prerequisites: MITM position on the local network · ability to intercept and modify OTA update traffic
devstral-2 · analyzed May 28, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 8.1
EPSS 0.0012
EPSS Percentile 31.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (1)
ofofonobsdev/hubbank 1.0.2
Published Apr 29, 2024
Tracked Since Feb 18, 2026