ExploitCVE-2024-9009
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Summary
A critical vulnerability has been discovered in code-projects Online Quiz Site version 1.0. The issue affects the processing of the file showtest.php, where manipulation of the 'subid' argument can lead to SQL injection. This vulnerability can be exploited remotely, and the exploit has been publicly disclosed.
Impact
This SQL injection vulnerability allows attackers to remotely execute malicious SQL commands, potentially leading to unauthorized access, data theft, or manipulation of the database. Given the critical nature of the vulnerability, attackers could potentially: 1. Access sensitive user information stored in the database. 2. Modify or delete crucial data. 3. Escalate privileges within the application. 4. Execute arbitrary commands on the database server. 5. Compromise the integrity and confidentiality of the entire Online Quiz Site system.
Exploitation
One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.
Patch
As of the current information, there is no specific patch mentioned for this vulnerability. The affected version is Online Quiz Site 1.0, and users should look for updates or patches from the vendor, fabianros.
Mitigation
While waiting for an official patch, consider the following mitigation strategies: 1. Implement input validation and sanitization for all user inputs, especially for the 'subid' parameter in showtest.php. 2. Use parameterized queries or prepared statements to prevent SQL injection. 3. Apply the principle of least privilege to database accounts used by the application. 4. Enable SQL injection protection features in your web application firewall (WAF) if available. 5. Monitor and log database activities to detect potential exploitation attempts. 6. Consider temporarily disabling the affected functionality if possible without significant business impact. 7. Keep the Online Quiz Site and its dependencies up to date with the latest security patches.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Timeline
Feedly found the first article mentioning CVE-2024-9009. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-9009
A CVSS base score of 6.3 has been assigned.
EPSS Score was set to: 0.05% (Percentile: 16.4%)
A CVSS base score of 9.8 has been assigned.
A CVSS base score of 9.8 has been assigned.