Exploit
CVE-2024-9817

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 10, 2024 / Updated: 40d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in the Blood Bank System version 1.0 developed by code-projects. This vulnerability affects an unknown part of the file /update.php. The issue stems from improper neutralization of special elements used in an SQL command, commonly known as SQL injection. The manipulation of the 'name' argument can lead to SQL injection attacks. This vulnerability can be exploited remotely, and the exploit has been publicly disclosed.

Impact

This SQL injection vulnerability could allow attackers to execute unauthorized SQL commands on the database. Potential impacts include: 1. Data breach: Unauthorized access to sensitive information stored in the blood bank database, potentially including personal and medical data of donors and recipients. 2. Data manipulation: Attackers could alter or delete critical blood bank records, potentially affecting blood supply management and patient care. 3. System compromise: In some cases, SQL injection can lead to broader system access, potentially compromising the entire blood bank management system. 4. Regulatory non-compliance: Exposure of sensitive medical data could result in violations of healthcare data protection regulations. The CVSS v3.1 base score of 6.3 (Medium severity) indicates a significant risk, with potential for low-level impacts on confidentiality, integrity, and availability of the system.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of a specific patch being available for this vulnerability in the Blood Bank System 1.0. Users of this system should contact code-projects, the vendor, for information about potential updates or patches to address this vulnerability.

Mitigation

While waiting for an official patch, the following mitigation steps are recommended: 1. Input validation: Implement strict input validation for all user-supplied data, especially in the /update.php file and any form fields that accept the 'name' parameter. 2. Prepared statements: Use parameterized queries or prepared statements instead of dynamic SQL to prevent SQL injection attacks. 3. Least privilege: Ensure that the database user account used by the application has minimal necessary privileges. 4. Web Application Firewall (WAF): Deploy a WAF to help detect and block SQL injection attempts. 5. Regular security audits: Conduct thorough code reviews and security assessments to identify and address similar vulnerabilities. 6. Monitor system logs: Increase monitoring of application and database logs for any suspicious activities or unauthorized access attempts. 7. Consider temporary isolation: If possible, isolate the Blood Bank System from public network access until a patch is available or other security measures are in place.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9817. See article

Oct 10, 2024 at 10:38 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 10, 2024 at 10:38 PM
CVE Assignment

NVD published the first details for CVE-2024-9817

Oct 10, 2024 at 11:15 PM
CVSS

A CVSS base score of 6.3 has been assigned.

Oct 10, 2024 at 11:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 11, 2024 at 10:19 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 17, 2024 at 6:15 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 17, 2024 at 9:11 PM
Static CVE Timeline Graph

Affected Systems

Blood_bank_system_project/blood_bank_system
+null more

Exploits

https://github.com/RonenWen/cve/blob/main/sql6-update-name.md
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

CVE-2024-9817 Exploit
CVE Id : CVE-2024-9817 Published Date: 2024-10-17T18:12:00+00:00 A vulnerability was found in code-projects Blood Bank System 1.0. It has been classified as critical. This affects an unknown part of the file /update.php. The manipulation of the argument name leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://github.com/RonenWen/cve/blob/main/sql6-update-name.md
US-CERT Vulnerability Summary for the Week of October 7, 2024
ABB–RobotWare 6 An attacker who successfully exploited these vulnerabilities could cause the robot to stop. A vulnerability exists in the PROFINET stack included in the RobotWare versions listed below. This vulnerability arises under specific condition when specially crafted message is processed by the system. Below are reported vulnerabilities in the Robot Ware versions. * IRC5- RobotWare 6 2024-10-10 5.1 CVE-2024-6157 [email protected] adamskaat–Read more By Adam The Read more By Adam plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteRm() function in all versions up to, and including, 1.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete read more buttons. 2024-10-12 4.3 CVE-2024-9187 [email protected] [email protected] adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 5.5 CVE-2024-47419 [email protected] adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR.
CVE-2024-9817
Medium Severity Description A vulnerability was found in code-projects Blood Bank System 1.0. It has been classified as critical. This affects an unknown part of the file /update.php. The manipulation of the argument name leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Read more at https://www.tenable.com/cve/CVE-2024-9817
CVE-2024-9817
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
CVE Alert: CVE-2024-9817
This affects an unknown part of the file /update.php. Affected Endpoints:
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI