CVE-2024-5356

MEDIUM

Anji-plus AJ-Report <1.4.1 - SQL Injection

Title source: llm

Description

A vulnerability, which was classified as critical, was found in anji-plus AJ-Report up to 1.4.1. Affected is an unknown function of the file /dataSet/testTransform;swagger-ui. The manipulation of the argument dynSentence leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-266268.

Exploits (1)

nomisec SCANNER 1 stars

by droyuu · poc

https://github.com/droyuu/Aj-Report-sql-CVE-2024-5356-POC

View Code ZIP pw:eip

References (5)

[Permissions Required, VDB Entry] https://vuldb.com/?id.266268

[Permissions Required, VDB Entry] https://vuldb.com/?ctiid.266268

[Third Party Advisory, VDB Entry] https://vuldb.com/?submit.338486

[Broken Link] https://github.com/anji-plus/report/issues/34

[Exploit] https://github.com/anji-plus/report/files/15363269/aj-report.pdf

Scores

CVSS v3 6.3

EPSS 0.0418

EPSS Percentile 88.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

anji-plus/aj-report < 1.4.1

Published May 26, 2024

Tracked Since Feb 18, 2026