FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

Exploit
CVE-2024-9986

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 15, 2024 / Updated: 35d ago

010
CVSS 6.9EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A critical vulnerability has been discovered in the Blood Bank Management System version 1.0 developed by fabianros. The vulnerability affects the file member_register.php and allows for SQL injection attacks. The issue stems from improper neutralization of special elements used in SQL commands, specifically in the processing of the fullname, username, password, and email parameters.

Impact

This vulnerability could allow remote attackers to execute arbitrary SQL commands on the underlying database. Potential impacts include: 1. Unauthorized access to sensitive data in the blood bank management system. 2. Modification or deletion of critical patient and donor information. 3. Potential escalation of privileges within the application. 4. Compromise of the entire database's integrity and confidentiality. 5. Possible use of the compromised system as a stepping stone for further network intrusion.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information, no specific patch has been mentioned for this vulnerability. Users of the Blood Bank Management System 1.0 should contact the vendor (fabianros) for updates or patching information.

Mitigation

Until a patch is available, consider the following mitigation strategies: 1. Implement strong input validation and sanitization for all user inputs, especially in the member_register.php file. 2. Use prepared statements or parameterized queries to prevent SQL injection. 3. Apply the principle of least privilege to the database user used by the application. 4. Consider temporarily disabling the affected functionality if possible without disrupting critical operations. 5. Monitor logs for any suspicious activities or unexpected SQL queries. 6. If feasible, place a Web Application Firewall (WAF) in front of the application to filter malicious inputs. 7. Regularly backup the database to ensure quick recovery in case of a successful attack.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-9986. See article

Oct 15, 2024 at 1:07 PM / CVE
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 15, 2024 at 1:08 PM
CVE Assignment

NVD published the first details for CVE-2024-9986

Oct 15, 2024 at 1:15 PM
CVSS

A CVSS base score of 7.3 has been assigned.

Oct 15, 2024 at 1:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 16, 2024 at 9:58 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 21, 2024 at 1:10 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 21, 2024 at 3:11 PM
Static CVE Timeline Graph

Affected Systems

Fabianros/blood_bank_management_system
+null more

Exploits

https://github.com/Lanxiy7th/lx_CVE_report-/issues/16
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

Vulnerability Summary for the Week of October 14, 2024
Totally Secure / 28d
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.–Social Link Groups Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 audit@patchstack.com acm309–PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
US-CERT Vulnerability Summary for the Week of October 14, 2024
RedPacket Security / 29d
Primary Vendor — Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.–Social Link Groups Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 [email protected] acm309–PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
CVE-2024-9986 Exploit
inTheWild.io Exploits / 29d
CVE Id : CVE-2024-9986 Published Date: 2024-10-21T13:07:00+00:00 A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file member_register.php. The manipulation of the argument fullname/username/password/email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory only mentions the parameter "password" to be affected. But it must be assumed that other parameters are affected as well.
Vulnerability Summary for the Week of October 14, 2024
Bulletins / 29d
High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source Info Patch Info Acespritech Solutions Pvt. Ltd.--Social Link Groups Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Acespritech Solutions Pvt. Ltd. Social Link Groups allows Blind SQL Injection.This issue affects Social Link Groups: from n/a through 1.1.0. 2024-10-20 8.5 CVE-2024-49619 audit@patchstack.com acm309--PutongOJ PutongOJ is online judging software. Prior to version 2.1.0-beta.1, unprivileged users can escalate privileges by constructing requests. This can lead to unauthorized access, enabling users to perform admin-level operations, potentially compromising sensitive data and system integrity. This problem has been fixed in v2.1.0.beta.1. As a workaround, one may apply the patch from commit `211dfe9` manually.
Update Wed Oct 16 14:41:55 UTC 2024
Recent Commits to cve:main / 34d
Update Wed Oct 16 14:41:55 UTC 2024
See 10 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 9.8(27010)CWE-89(13175)Fabianros(37)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial