CVE-2024-42760 SQL Injection in Ellevo API

# Exploit Title: SQL Injection in Ellevo API (v.6.2.0.38160)
# Google Dork: N/A
# Date: 2024-01-22
# Exploit Author: Mateus Veiga https://www.linkedin.com/in/mateusveigasec/
# Vendor Homepage: https://ellevo.com/
# Version: 6.2.0.38160
# Tested on: Linux
# CVE: CVE-2024-42760

SQL Injection vulnerability in Ellevo v.6.2.0.38160 allows a remote attacker to obtain sensitive information via the /api/mob/instrucao/conta/destinatarios component.

These vulnerabilities allow attackers to execute arbitrary SQL commands through the affected parameters. Successful exploitation could lead to unauthorized database access and data leakage.

References

MITRE