CVE-2024-28559 is a SQL injection vulnerability found in Niushop B2B2C version 5.3.3 and earlier, specifically within the setPrice() function of the Goodsbatchset.php component. This vulnerability allows an attacker with limited privileges to inject malicious SQL code due to insufficient input validation or improper sanitization of user-supplied data. The injection flaw enables privilege escalation, potentially granting the attacker unauthorized access to sensitive data, modification of database contents, or disruption of application availability. The vulnerability is remotely exploitable over the network without requiring user interaction, and the attacker only needs some level of privileges to trigger the flaw. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no user interaction. Although no public exploits have been reported yet, the vulnerability poses a significant risk to organizations using Niushop B2B2C for their e-commerce platforms. The root cause aligns with CWE-89, indicating classic SQL injection due to improper handling of input in the affected PHP component.

The impact of CVE-2024-28559 is substantial for organizations using Niushop B2B2C, as successful exploitation can lead to full compromise of the affected system. Attackers can escalate privileges, potentially gaining administrative access to the e-commerce platform, which may result in unauthorized access to customer data, financial information, and business-critical records. Data integrity can be compromised by unauthorized modification or deletion of product pricing and inventory data, leading to financial losses and operational disruption. Availability may also be affected if attackers manipulate database queries to cause denial-of-service conditions. The breach of confidentiality and integrity can damage customer trust and lead to regulatory penalties, especially in jurisdictions with strict data protection laws. Given the widespread use of Niushop B2B2C in certain markets, the vulnerability could have broad implications for online retail businesses globally.

To mitigate CVE-2024-28559, organizations should prioritize updating Niushop B2B2C to a version where this vulnerability is patched once available. In the absence of an official patch, immediate steps include auditing and restricting access to the setPrice() function and the Goodsbatchset.php component to trusted users only. Implementing Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL injection attempts targeting this function can provide temporary protection. Conduct thorough input validation and sanitization on all user inputs related to pricing and batch updates, employing parameterized queries or prepared statements to prevent injection. Regularly monitor application logs for suspicious database query patterns indicative of exploitation attempts. Additionally, enforce the principle of least privilege for all user roles to minimize the potential impact of privilege escalation. Finally, organizations should conduct security assessments and penetration testing focused on SQL injection vectors within their Niushop deployment.