CVE-2024-46532

CRITICAL

OpenHIS 1.0 - SQL Injection via PayController Refund Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-46532. PoCs published by KamenRiderDarker.

AI-analyzed exploit summary This repository documents a SQL injection vulnerability (CVE-2024-46532) in OpenHIS, specifically in the `PayController.class.php` file where user-controlled input (`paylog_id`) is directly interpolated into an SQL query without sanitization. The writeup identifies the vulnerable code but does not include a functional exploit or PoC.

Description

SQL Injection vulnerability in OpenHIS v.1.0 allows an attacker to execute arbitrary code via the refund function in the PayController.class.php component.

Exploits (1)

nomisec WRITEUP
by KamenRiderDarker · poc
https://github.com/KamenRiderDarker/CVE-2024-46532

This repository documents a SQL injection vulnerability (CVE-2024-46532) in OpenHIS, specifically in the `PayController.class.php` file where user-controlled input (`paylog_id`) is directly interpolated into an SQL query without sanitization. The writeup identifies the vulnerable code but does not include a functional exploit or PoC.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Theoretical
Target: OpenHIS V1.0
No auth needed
Prerequisites: Network access to the vulnerable OpenHIS instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.0111
EPSS Percentile 61.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Published Oct 11, 2024
Tracked Since Feb 18, 2026