Exploit
CVE-2024-9319

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Sep 29, 2024 / Updated: 52d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in SourceCodester Online Timesheet App version 1.0. The vulnerability affects an unknown part of the file /endpoint/delete-timesheet.php. The issue stems from improper neutralization of special elements used in an SQL command, leading to SQL injection. This vulnerability can be exploited remotely and requires low privileges and no user interaction.

Impact

The impact of this vulnerability is severe. Successful exploitation could lead to unauthorized access, data manipulation, and potential system compromise. An attacker could: 1. Read, modify, or delete sensitive information from the database. 2. Execute administrative operations on the database. 3. In some cases, issue commands to the operating system. The CVSS v3.1 base score is 8.8 (Critical), with high impacts on confidentiality, integrity, and availability. This indicates that exploitation could result in a total compromise of the system's confidentiality, integrity, and availability.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an official patch being available for this vulnerability. The security team should closely monitor for any updates or patches released by SourceCodester for the Online Timesheet App.

Mitigation

While waiting for an official patch, consider the following mitigation strategies: 1. Implement input validation and parameterized queries to prevent SQL injection attacks. 2. Apply the principle of least privilege to database accounts used by the application. 3. Use web application firewalls (WAF) to filter out malicious requests. 4. Regularly audit and monitor database activities for any suspicious behavior. 5. If possible, temporarily disable or restrict access to the vulnerable endpoint (/endpoint/delete-timesheet.php) until a patch is available. 6. Keep the SourceCodester Online Timesheet App and its dependencies up to date with the latest security patches. 7. Consider isolating the affected system to minimize potential impact on other network resources.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9319. See article

Sep 28, 2024 at 11:45 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 28, 2024 at 11:46 PM
CVE Assignment

NVD published the first details for CVE-2024-9319

Sep 29, 2024 at 12:15 AM
CVSS

A CVSS base score of 6.3 has been assigned.

Sep 29, 2024 at 12:15 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.3%)

Sep 29, 2024 at 12:11 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 1, 2024 at 1:30 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 1, 2024 at 9:11 PM
Static CVE Timeline Graph

Affected Systems

Rems/online_timesheet_app
+null more

Exploits

https://github.com/zz0zz0/CVE/blob/main/Online%20Timesheet%20App%20--SQL%20injection/Online%20Timesheet%20App%20--SQL%20injection.md
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

Security Bulletin 02 Oct 2024 - Cyber Security Agency of Singapore
This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing ...
CVE-2024-9319 Exploit
CVE Id : CVE-2024-9319 Published Date: 2024-10-01T13:29:00+00:00 A vulnerability, which was classified as critical, was found in SourceCodester Online Timesheet App 1.0. This affects an unknown part of the file /endpoint/delete-timesheet.php. The manipulation of the argument timesheet leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://github.com/zz0zz0/CVE/blob/main/Online%20Timesheet%20App%20--SQL%20injection/Online%20Timesheet%20App%20--SQL%20injection.md
CVE Alert: CVE-2024-9319 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9319/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9319
CVE Alert: CVE-2024-9319
This affects an unknown part of the file /endpoint/delete-timesheet.php. Affected Endpoints:
CVE-2024-9319
High Severity Description A vulnerability, which was classified as critical, was found in SourceCodester Online Timesheet App 1.0. This affects an unknown part of the file /endpoint/delete-timesheet.php. The manipulation of the argument timesheet leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Read more at https://www.tenable.com/cve/CVE-2024-9319
See 9 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI