CVE-2024-58309

CVE Database · CVE-2024-58309

CVE-2024-58309

· CRITICALAnalyzed

CVSS v3.1

9.8

CVSS v4.0

8.7

EPSS

0.50%

Published

Dec 11, 2025

Modified

Dec 30, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user credentials, and password hashes from the underlying database.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-89

Affected Products (1)

xbtitfm · xbtitfmvulnerable

References (3)

https://www.exploit-db.com/exploits/51909

ExploitThird Party AdvisoryVDB Entry

https://www.vulncheck.com/advisories/xbtitfm-unauthenticated-sql-injection-in-shouteditphp

Third Party Advisory

https://xbtitfm.eu

Product

KEV Catalog EPSS Scores Vendors All CVEs