Exploit
CVE-2024-9079

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Sep 22, 2024 / Updated: 59d ago

010
CVSS 6.9EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A vulnerability classified as critical was discovered in code-projects Student Record System 1.0. This issue affects some unknown processing of the file /marks.php. The manipulation of the argument coursename leads to SQL injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Impact

This SQL injection vulnerability could allow attackers to execute unauthorized SQL commands on the database. Potential impacts include: 1. Unauthorized access to sensitive student data 2. Modification or deletion of student records 3. Escalation of privileges within the system 4. Potential to compromise the entire database 5. Use of the system as a pivot point to attack other connected systems

Exploitation

Multiple proof-of-concept exploits are available on github.com, github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the provided information, there is no mention of an available patch for this vulnerability in code-projects Student Record System 1.0.

Mitigation

1. Update code-projects Student Record System to a version newer than 1.0 if available 2. Implement input validation and parameterized queries to prevent SQL injection 3. Use prepared statements with parameterized queries 4. Apply the principle of least privilege to database accounts 5. Regularly audit and monitor database activities for suspicious behavior 6. Consider using a Web Application Firewall (WAF) to filter malicious inputs 7. Keep the system and all associated software up-to-date with the latest security patches

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9079. See article

Sep 22, 2024 at 4:42 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 22, 2024 at 4:42 AM
CVE Assignment

NVD published the first details for CVE-2024-9079

Sep 22, 2024 at 5:15 AM
CVSS

A CVSS base score of 7.3 has been assigned.

Sep 22, 2024 at 5:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.3%)

Sep 22, 2024 at 10:49 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Sep 26, 2024 at 4:35 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Sep 26, 2024 at 7:11 PM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 28, 2024 at 9:36 PM / nvd
Static CVE Timeline Graph

Affected Systems

Code-projects/student_record_system
+null more

Exploits

https://github.com/maybeheisenberg/CVE-2024-9079
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

CVE-2024-9079 Exploit
CVE Id : CVE-2024-9079 Published Date: 2024-09-26T16:32:00+00:00 A vulnerability was found in code-projects Student Record System 1.0 and classified as critical. This issue affects some unknown processing of the file /marks.php. The manipulation of the argument coursename leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://github.com/ppp-src/a/issues/16
Update Mon Sep 23 14:30:17 UTC 2024
Update Mon Sep 23 14:30:17 UTC 2024
CVE Alert: CVE-2024-9079 - https://www.redpacketsecurity.com/cve_alert_cve-2024-9079/ #OSINT #ThreatIntel #CyberSecurity #cve_2024_9079
CVE Alert: CVE-2024-9079 - redpacketsecurity.com/cve_al… #OSINT #ThreatIntel #CyberSecurity #cve_2024_9079
CVE Alert: CVE-2024-9079 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9079/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9079
CVE-2024-9079
Critical Severity Description A vulnerability was found in code-projects Student Record System 1.0 and classified as critical. This issue affects some unknown processing of the file /marks.php. The manipulation of the argument coursename leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Read more at https://www.tenable.com/cve/CVE-2024-9079
See 11 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI