Exploit
CVE-2024-9894

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 12, 2024 / Updated: 38d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in code-projects Blood Bank System version 1.0. The vulnerability affects an unknown function in the file reset.php. By manipulating the 'useremail' argument, an attacker can perform SQL injection. This vulnerability can be exploited remotely.

Impact

This SQL injection vulnerability can have severe consequences. Given the CVSS v3.1 score of 8.8 (High), it poses significant risks to the confidentiality, integrity, and availability of the system. Attackers could potentially: 1. Access, modify, or delete sensitive information in the database, including patient records and blood donation data. 2. Escalate privileges within the system. 3. Execute arbitrary commands on the database server. 4. Compromise the entire blood bank management system. 5. Use the compromised system as a stepping stone for further attacks on connected systems.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an available patch for this vulnerability in Blood Bank System version 1.0. The security team should closely monitor for any updates or patches released by the vendor, code-projects.

Mitigation

While waiting for an official patch, the security team should consider the following mitigation strategies: 1. Implement input validation and sanitization for all user inputs, especially for the 'useremail' parameter in reset.php. 2. Use prepared statements or parameterized queries instead of dynamic SQL to prevent SQL injection. 3. Apply the principle of least privilege to database accounts used by the application. 4. Enable SQL injection prevention features in any Web Application Firewall (WAF) if available. 5. Monitor and log database activities to detect any suspicious queries. 6. Consider temporarily disabling the affected functionality if possible without disrupting critical operations. 7. Regularly update and patch the underlying database management system. 8. Conduct a thorough code review of the Blood Bank System, focusing on SQL query construction and user input handling. Given the critical nature of the vulnerability and its ease of exploitation (low attack complexity, network vector, and no user interaction required), prioritizing these mitigations is crucial.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9894. See article

Oct 12, 2024 at 12:47 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 12, 2024 at 12:48 PM
CVE Assignment

NVD published the first details for CVE-2024-9894

Oct 12, 2024 at 1:15 PM
CVSS

A CVSS base score of 6.3 has been assigned.

Oct 12, 2024 at 1:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 13, 2024 at 12:22 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 16, 2024 at 10:15 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 17, 2024 at 1:10 AM
Static CVE Timeline Graph

Affected Systems

Blood_bank_system_project/blood_bank_system
+null more

Exploits

https://github.com/siyuancn-hub/cve/blob/main/sql7-.md
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

CVE-2024-9894 Exploit
CVE Id : CVE-2024-9894 Published Date: 2024-10-16T22:13:00+00:00 A vulnerability, which was classified as critical, was found in code-projects Blood Bank System 1.0. Affected is an unknown function of the file reset.php. The manipulation of the argument useremail leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://github.com/siyuancn-hub/cve/blob/main/sql7-.md
US-CERT Vulnerability Summary for the Week of October 7, 2024
ABB–RobotWare 6 An attacker who successfully exploited these vulnerabilities could cause the robot to stop. A vulnerability exists in the PROFINET stack included in the RobotWare versions listed below. This vulnerability arises under specific condition when specially crafted message is processed by the system. Below are reported vulnerabilities in the Robot Ware versions. * IRC5- RobotWare 6 2024-10-10 5.1 CVE-2024-6157 [email protected] adamskaat–Read more By Adam The Read more By Adam plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteRm() function in all versions up to, and including, 1.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete read more buttons. 2024-10-12 4.3 CVE-2024-9187 [email protected] [email protected] adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. 2024-10-09 5.5 CVE-2024-47419 [email protected] adobe — animate Animate versions 23.0.7, 24.0.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR.
CVE-2024-9894 Description, Impact and Technical Details - Recorded Future
CVE-2024-9894 is a critical vulnerability affecting the Blood Bank System version 1.0, specifically in the reset.php file due to SQL injection ...
CVE Alert: CVE-2024-9894 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9894/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9894
CVE Alert: CVE-2024-9894
Affected Endpoints: Everyone that supports the site helps enable new functionality.
See 11 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI