CVE-2024-28560 is an SQL injection vulnerability identified in Niushop B2B2C version 5.3.3 and earlier. The vulnerability resides in the deleteArea() function of the Address.php component, which improperly sanitizes user input before incorporating it into SQL queries. This flaw allows an attacker with at least limited privileges (PR:L) to inject crafted SQL statements, potentially escalating their privileges within the application. The vulnerability is remotely exploitable over the network (AV:N) without requiring user interaction (UI:N). The CVSS 3.1 base score is 5.4, reflecting a medium severity due to the requirement for some privileges and the limited scope of impact. The primary impact is on confidentiality and integrity, as attackers may access or modify sensitive data or escalate privileges, but availability is not affected. No public exploits are currently known, and no official patches have been linked yet. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Given the nature of Niushop as a B2B2C e-commerce platform, exploitation could lead to unauthorized access to customer or business data and manipulation of address-related records, potentially undermining trust and compliance.

The vulnerability allows attackers with limited privileges to escalate their access rights, potentially gaining unauthorized control over sensitive data within the Niushop platform. This can lead to exposure or modification of customer addresses and related personal information, undermining confidentiality and data integrity. For organizations relying on Niushop B2B2C for e-commerce operations, this could result in data breaches, regulatory non-compliance (e.g., GDPR), reputational damage, and financial losses. Although availability is not directly impacted, the integrity compromise could disrupt business processes and customer trust. The requirement for some privileges reduces the risk from external unauthenticated attackers but does not eliminate the threat from insiders or compromised accounts. The absence of known exploits suggests limited current exploitation, but the vulnerability remains a significant risk if left unmitigated.

Organizations should immediately review and restrict access privileges to the Niushop platform, ensuring that only trusted users have permissions to functions like deleteArea(). Input validation and parameterized queries should be implemented or verified in the Address.php component to prevent SQL injection. Until an official patch is released, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the deleteArea() function. Conduct thorough code audits focusing on SQL query construction and sanitize all user inputs rigorously. Monitor logs for unusual database query patterns or privilege escalations. Additionally, enforce strong authentication and session management controls to limit the risk from compromised accounts. Organizations should subscribe to Niushop security advisories for timely patch releases and apply updates promptly once available.