Exploit
CVE-2024-9818

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 10, 2024 / Updated: 40d ago

010
CVSS 6.9EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in the SourceCodester Online Veterinary Appointment System version 1.0. The vulnerability is located in an unknown function within the file /admin/categories/manage_category.php. This flaw allows for SQL injection attacks by manipulating the 'id' parameter. The attack can be executed remotely, and the exploit has been publicly disclosed.

Impact

This SQL injection vulnerability can have severe consequences. Attackers can potentially: 1. Access, modify, or delete sensitive data in the database, including patient records and appointment information. 2. Elevate privileges within the system, potentially gaining administrative access. 3. Execute arbitrary commands on the database server, which could lead to further system compromise. 4. Bypass authentication mechanisms, allowing unauthorized access to the system. 5. In worst-case scenarios, gain complete control over the veterinary appointment system and possibly the underlying server.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of now, there is no mention of an available patch for this vulnerability in the SourceCodester Online Veterinary Appointment System version 1.0. The security team should monitor for updates from the vendor and apply any patches as soon as they become available.

Mitigation

While waiting for an official patch, consider the following mitigation strategies: 1. Implement input validation and sanitization for all user inputs, especially the 'id' parameter in the affected file. 2. Use parameterized queries or prepared statements to prevent SQL injection attacks. 3. Apply the principle of least privilege to database accounts used by the application. 4. Implement web application firewalls (WAF) to detect and block SQL injection attempts. 5. Regularly audit and monitor database access and activities for any suspicious behavior. 6. If possible, temporarily disable or restrict access to the affected component (/admin/categories/manage_category.php) until a fix is available. 7. Keep the system and all its components up to date with the latest security patches.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9818. See article

Oct 10, 2024 at 10:38 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 10, 2024 at 10:38 PM
CVE Assignment

NVD published the first details for CVE-2024-9818

Oct 10, 2024 at 11:15 PM
CVSS

A CVSS base score of 7.3 has been assigned.

Oct 10, 2024 at 11:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 11, 2024 at 10:19 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 17, 2024 at 6:15 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 17, 2024 at 9:11 PM
Static CVE Timeline Graph

Affected Systems

Oretnom23/online_veterinary_appointment_system
+null more

Exploits

https://github.com/fezzyang/CVE_report/blob/main/online-veterinary-appointment-system/SQLi.md
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

CVE-2024-9818 Exploit
CVE Id : CVE-2024-9818 Published Date: 2024-10-17T18:13:00+00:00 A vulnerability classified as critical has been found in SourceCodester Online Veterinary Appointment System 1.0. Affected is an unknown function of the file /admin/categories/manage_category.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://github.com/fezzyang/CVE_report/blob/main/online-veterinary-appointment-system/SQLi.md
CVE-2024-9818
High Severity Description A vulnerability classified as critical has been found in SourceCodester Online Veterinary Appointment System 1.0. Affected is an unknown function of the file /admin/categories/manage_category.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Read more at https://www.tenable.com/cve/CVE-2024-9818
CVE-2024-9818 Description, Impact and Technical Details - Recorded Future
CVE-2024-9818 is a critical vulnerability found in the SourceCodester Online Veterinary Appointment System version 1.0, specifically affecting the ...
CVE-2024-9818
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
CVE Alert: CVE-2024-9818
Everyone that supports the site helps enable new functionality. Affected Endpoints:
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI