Exploit
CVE-2024-9976

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 15, 2024 / Updated: 35d ago

010
CVSS 5.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in code-projects Pharmacy Management System version 1.0. The vulnerability affects an unknown part of the file /php/manage_customer.php?action=search. The issue stems from improper neutralization of special elements used in an SQL command, leading to SQL injection. This vulnerability can be exploited remotely without requiring user interaction or privileges.

Impact

The impact of this vulnerability is severe. Successful exploitation could lead to unauthorized access to the database, potentially allowing attackers to read, modify, or delete sensitive data. Given the high confidentiality, integrity, and availability impacts, attackers could potentially: 1. Steal sensitive customer information from the pharmacy management system. 2. Alter medication records, prescriptions, or inventory data. 3. Disrupt the system's availability, affecting pharmacy operations. 4. Escalate privileges within the system. 5. Use the compromised system as a stepping stone for further attacks on the network.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the latest information provided, there is no mention of an available patch for this vulnerability in Pharmacy Management System 1.0. Users of this software should contact code-projects for updates on when a security patch will be released.

Mitigation

Until a patch is available, consider the following mitigation strategies: 1. Implement strong input validation and sanitization for all user inputs, especially in the affected file /php/manage_customer.php?action=search. 2. Use parameterized queries or prepared statements to prevent SQL injection attacks. 3. Apply the principle of least privilege to database accounts used by the application. 4. Implement web application firewalls (WAF) to detect and block SQL injection attempts. 5. Regularly audit and monitor database activities for any suspicious queries or unauthorized access. 6. If possible, temporarily disable or restrict access to the affected functionality until a patch is available. 7. Keep the Pharmacy Management System and all associated components up to date with the latest security patches. 8. Consider using additional security layers such as intrusion detection/prevention systems (IDS/IPS) to monitor and protect against potential attacks.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9976. See article

Oct 15, 2024 at 11:11 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 15, 2024 at 11:11 AM
CVE Assignment

NVD published the first details for CVE-2024-9976

Oct 15, 2024 at 11:15 AM
CVSS

A CVSS base score of 6.3 has been assigned.

Oct 15, 2024 at 11:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 16, 2024 at 11:00 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 16, 2024 at 1:45 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 16, 2024 at 3:11 PM
Static CVE Timeline Graph

Affected Systems

Code-projects/pharmacy_management_system
+null more

Exploits

https://gist.github.com/higordiego/b57040961b993cb5f1bfe0005f6b57be
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

Vulnerability Summary for the Week of October 14, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.–Social Link Groups Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 audit@patchstack.com acm309–PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
US-CERT Vulnerability Summary for the Week of October 14, 2024
Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.–Social Link Groups Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 [email protected] acm309–PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
Vulnerability Summary for the Week of October 14, 2024
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.--Social Link Groups Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 audit@patchstack.com acm309--PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
CVE-2024-9976 Exploit
CVE Id : CVE-2024-9976 Published Date: 2024-10-16T13:42:00+00:00 A vulnerability classified as critical has been found in code-projects Pharmacy Management System 1.0. This affects an unknown part of the file /php/manage_customer.php?action=search. The manipulation of the argument text leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. inTheWild added a link to an exploit: https://gist.github.com/higordiego/b57040961b993cb5f1bfe0005f6b57be
Update Wed Oct 16 14:41:55 UTC 2024
Update Wed Oct 16 14:41:55 UTC 2024
See 7 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI