CVE-2024-36840

moderate-risk
Published 2024-06-12

SQL Injection vulnerability in Boelter Blue System Management v.1.3 allows a remote attacker to execute arbitrary code and obtain sensitive information via the id parameter to news_details.php and location_details.php; and the section parameter to services.php.

Do I need to act?

!
12.5% chance of exploitation in next 30 days
EPSS score — higher than 87% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

References (12)

http://seclists.org/fulldisclosure/2024/Jun/0
https://infosec-db.github.io/CyberDepot/vuln_boelter_blue/
https://packetstormsecurity.com/files/178978/Boelter-Blue-System-Management-1.3-...
https://play.google.com/store/apps/details?id=com.anchor5digital.anchor5adminapp...
https://sploitus.com/exploit?id=PACKETSTORM:178978
https://vuldb.com/?id.267594
http://seclists.org/fulldisclosure/2024/Jun/0
https://infosec-db.github.io/CyberDepot/vuln_boelter_blue/
https://packetstormsecurity.com/files/178978/Boelter-Blue-System-Management-1.3-...
https://play.google.com/store/apps/details?id=com.anchor5digital.anchor5adminapp...
https://sploitus.com/exploit?id=PACKETSTORM:178978
https://vuldb.com/?id.267594
48
/ 100
moderate-risk
Severity 31/34 · Critical
Exploitability 12/34 · Low
Exposure 5/34 · Minimal