Exploit
CVE-2024-9804

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 10, 2024 / Updated: 40d ago

010
CVSS 5.1EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been identified in the Blood Bank System version 1.0 developed by code-projects. The vulnerability affects the file /admin/campsdetails.php and allows for SQL injection through the manipulation of the 'hospital' argument. This vulnerability can be exploited remotely and does not require user interaction.

Impact

The primary impact of this vulnerability is on data confidentiality. If exploited, an attacker could potentially access, modify, or extract sensitive information from the database. This could lead to unauthorized access to patient records, donor information, or other critical data stored in the blood bank system. The integrity and availability of the system do not appear to be directly affected based on the provided CVSS scores.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information, there is no mention of an available patch for this vulnerability. The security team should closely monitor for any updates or patches released by code-projects for the Blood Bank System 1.0.

Mitigation

Until a patch is available, the following mitigation steps are recommended: 1. Implement input validation and sanitization for all user inputs, especially for the 'hospital' parameter in the affected file. 2. Use prepared statements or parameterized queries to prevent SQL injection attacks. 3. Apply the principle of least privilege to database accounts used by the application. 4. Consider implementing a Web Application Firewall (WAF) to filter out malicious SQL injection attempts. 5. Regularly audit and monitor database access logs for any suspicious activities. 6. If possible, temporarily restrict access to the affected /admin/campsdetails.php file until a proper fix can be implemented.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9804. See article

Oct 10, 2024 at 9:25 AM / VulDB Updates
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 10, 2024 at 9:26 AM
CVE Assignment

NVD published the first details for CVE-2024-9804

Oct 10, 2024 at 6:15 PM
CVSS

A CVSS base score of 4.7 has been assigned.

Oct 10, 2024 at 6:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 11, 2024 at 10:19 AM
CVSS

A CVSS base score of 4.9 has been assigned.

Oct 15, 2024 at 7:20 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 15, 2024 at 9:10 PM
Static CVE Timeline Graph

Affected Systems

Code-projects/blood_bank_system
+null more

Exploits

https://github.com/sternstundes/cve/blob/main/sql5-campdetails.md
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

US-CERT Vulnerability Summary for the Week of October 7, 2024
ABB–RobotWare 6 An attacker who successfully exploited these vulnerabilities could cause the robot to stop. A vulnerability exists in the PROFINET stack included in the RobotWare versions listed below. This vulnerability arises under specific condition when specially crafted message is processed by the system. Below are reported vulnerabilities in the Robot Ware versions. * IRC5- RobotWare 6 2024-10-10 5.1 CVE-2024-6157 [email protected] adamskaat–Read more By Adam The Read more By Adam plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteRm() function in all versions up to, and including, 1.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete read more buttons. 2024-10-12 4.3 CVE-2024-9187 [email protected] [email protected] adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 5.5 CVE-2024-47419 [email protected] adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR.
CVE-2024-9804 Exploit
CVE Id : CVE-2024-9804 Published Date: 2024-10-15T19:17:00+00:00 A vulnerability was found in code-projects Blood Bank System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/campsdetails.php. The manipulation of the argument hospital leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. inTheWild added a link to an exploit:
CVE Alert: CVE-2024-9804 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9804/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9804
CVE-2024-9804
This vulnerability affects unknown code of the file /admin/campsdetails.php. Gravedad 3.1 (CVSS 3.1 Base Score)
NA - CVE-2024-9804 - A vulnerability was found in code-projects...
A vulnerability was found in code-projects Blood Bank System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/campsdetails.php. The manipulation of...
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI