Exploit
CVE-2024-9316

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Sep 28, 2024 / Updated: 52d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in code-projects Blood Bank Management System version 1.0. The vulnerability affects an unknown function in the file /admin/blood/update/B+.php. The issue allows for SQL injection through the manipulation of the 'Bloodname' argument. This vulnerability can be exploited remotely without requiring user interaction or special privileges.

Impact

The impact of this vulnerability is primarily on data confidentiality. An attacker could potentially: 1. Extract sensitive information from the database, including patient data, blood donor information, and other confidential medical records. 2. Gain unauthorized access to the system, potentially compromising the integrity of the entire blood bank management system. 3. Modify or delete database entries, which could lead to critical errors in blood type matching, inventory management, or patient records. 4. Use the compromised system as a stepping stone to attack other connected systems within the healthcare network.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of now, there is no mention of an available patch for this vulnerability. The affected version is Blood Bank Management System 1.0, and users should monitor for updates from code-projects for a security patch.

Mitigation

Until a patch is available, consider the following mitigation strategies: 1. Implement strong input validation and sanitization for all user inputs, especially in the affected file /admin/blood/update/B+.php. 2. Use prepared statements or parameterized queries to prevent SQL injection attacks. 3. Apply the principle of least privilege to database accounts used by the application. 4. Consider temporarily disabling the affected functionality if possible without disrupting critical operations. 5. Implement web application firewalls (WAF) to help detect and block SQL injection attempts. 6. Regularly audit and monitor database activities for any suspicious queries or unauthorized access attempts. 7. If possible, isolate the Blood Bank Management System from other critical systems until the vulnerability is addressed.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9316

Sep 28, 2024 at 8:15 PM
First Article

Feedly found the first article mentioning CVE-2024-9316. See article

Sep 28, 2024 at 8:17 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 28, 2024 at 8:18 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.3%)

Sep 29, 2024 at 12:11 PM
CVSS

A CVSS base score of 7.5 has been assigned.

Oct 2, 2024 at 1:30 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 2, 2024 at 3:10 PM
Static CVE Timeline Graph

Affected Systems

Code-projects/blood_bank_system
+null more

Exploits

https://github.com/cookie5201314/CVE/blob/main/sql2.md
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

CVE-2024-9316 Exploit
CVE Id : CVE-2024-9316 Published Date: 2024-10-02T13:29:00+00:00 A vulnerability classified as critical has been found in code-projects Blood Bank Management System 1.0. Affected is an unknown function of the file /admin/blood/update/B+.php. The manipulation of the argument Bloodname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://github.com/cookie5201314/CVE/blob/main/sql2.md
CVE-2024-9316
High Severity Description A vulnerability classified as critical has been found in code-projects Blood Bank Management System 1.0. Affected is an unknown function of the file /admin/blood/update/B+.php. The manipulation of the argument Bloodname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Read more at https://www.tenable.com/cve/CVE-2024-9316
Update Sun Sep 29 06:28:03 UTC 2024
Update Sun Sep 29 06:28:03 UTC 2024
CVE-2024-9316
Gravedad 3.1 (CVSS 3.1 Base Score) A vulnerability classified as critical has been found in code-projects Blood Bank Management System 1.0.
NA - CVE-2024-9316 - A vulnerability classified as critical has been...
A vulnerability classified as critical has been found in code-projects Blood Bank Management System 1.0. Affected is an unknown function of the file /admin/blood/update/B+.php. The manipulation of...
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI