Exploit
CVE-2024-9315

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Sep 28, 2024 / Updated: 52d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in the SourceCodester Employee and Visitor Gate Pass Logging System version 1.0. The vulnerability affects the file /admin/maintenance/manage_department.php and allows for SQL injection through manipulation of the 'id' parameter. This vulnerability can be exploited remotely and requires low privileges and no user interaction.

Impact

The impact of this vulnerability is severe. It allows attackers to potentially execute arbitrary SQL commands on the backend database. This could lead to unauthorized access to sensitive data, modification or deletion of database contents, and possibly even gaining control over the database server. Given the high impacts on confidentiality, integrity, and availability, attackers could potentially access, modify, or delete sensitive employee and visitor information, manipulate access logs, or disrupt the entire gate pass logging system.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information, there is no mention of an available patch for this vulnerability. The affected version is Employee and Visitor Gate Pass Logging System 1.0, and users of this version should consider it vulnerable.

Mitigation

Until a patch is available, consider the following mitigation strategies: 1. Implement strong input validation and sanitization for all user inputs, especially for the 'id' parameter in the affected file. 2. Use prepared statements or parameterized queries to prevent SQL injection attacks. 3. Apply the principle of least privilege to database accounts used by the application. 4. Monitor and log all access to the /admin/maintenance/manage_department.php file for suspicious activity. 5. Consider temporarily disabling access to the affected functionality if it's not critical for operations. 6. Implement a Web Application Firewall (WAF) to help filter out malicious requests. 7. Regularly update and patch the system as soon as fixes become available.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9315

Sep 28, 2024 at 7:15 PM
First Article

Feedly found the first article mentioning CVE-2024-9315. See article

Sep 28, 2024 at 7:15 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 28, 2024 at 7:16 PM
CVSS

A CVSS base score of 6.3 has been assigned.

Sep 28, 2024 at 7:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.3%)

Sep 29, 2024 at 12:11 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 1, 2024 at 1:35 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 1, 2024 at 9:11 PM
Static CVE Timeline Graph

Affected Systems

Oretnom23/employee_and_visitor_gate_pass_logging_system
+null more

Exploits

https://github.com/zonesec0/findcve/issues/3
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

Security Bulletin 02 Oct 2024 - Cyber Security Agency of Singapore
This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing ...
CVE-2024-9315 Exploit
CVE Id : CVE-2024-9315 Published Date: 2024-10-01T13:33:00+00:00 A vulnerability was found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/maintenance/manage_department.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://github.com/zonesec0/findcve/issues/3
CVE-2024-9315
High Severity Description A vulnerability was found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/maintenance/manage_department.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Read more at https://www.tenable.com/cve/CVE-2024-9315
NA - CVE-2024-9315 - A vulnerability was found in SourceCodester...
A vulnerability was found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0. It has been rated as critical. This issue affects some unknown processing of the file...
CVE-2024-9315
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI