Home

Description

xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user credentials, and password hashes from the underlying database.

PUBLISHED Reserved 2025-12-11 | Published 2025-12-11 | Updated 2025-12-16 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status
unaffected

4.1.18
affected

Credits

xbtitFM Team finder

References

www.exploit-db.com/exploits/51909 (ExploitDB-51909) exploit

xbtitfm.eu (Official Vendor Homepage) product

www.vulncheck.com/...enticated-sql-injection-in-shouteditphp (VulnCheck Advisory: xbtitFM 4.1.18 Unauthenticated SQL Injection in shoutedit.php) third-party-advisory

cve.org (CVE-2024-58309)

nvd.nist.gov (CVE-2024-58309)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.