CVE-2024-10296 – This CVE describes a critical SQL injection vul... (How to Fix)

Q: What is the severity of CVE-2024-10296?

CVE-2024-10296 has a CVSS score of 4.7 (MEDIUM). This CVE describes a critical SQL injection vulnerability in PHPGurukul Medical Card Generation System 1.0. Attackers can exploit this by manipulating date parameters in the card reports functionality to execute arbitrary SQL commands. Organizations using this medical card system are affected.

📋 TL;DR

This CVE describes a critical SQL injection vulnerability in PHPGurukul Medical Card Generation System 1.0. Attackers can exploit this by manipulating date parameters in the card reports functionality to execute arbitrary SQL commands. Organizations using this medical card system are affected.

💻 Affected Systems

Products:

PHPGurukul Medical Card Generation System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the /admin/card-bwdates-reports-details.php file to be accessible and the report functionality to be enabled.

📦 What is this software?

Medical Card Generation System by Phpgurukul

View all CVEs affecting Medical Card Generation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or system takeover via SQL injection to execute arbitrary commands.

🟠

Likely Case

Unauthorized data access and extraction of sensitive medical card information, potentially including personal health data.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires admin access to reach the vulnerable endpoint, but SQL injection itself is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://phpgurukul.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and parameterized queries manually in the affected PHP file.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation for fromdate and todate parameters to reject malicious input.

Edit /admin/card-bwdates-reports-details.php to validate date format and sanitize inputs

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting date parameters.

🧯 If You Can't Patch

Restrict access to the /admin/ directory to trusted IP addresses only
Disable the Medical Card Generation System if not essential

🔍 How to Verify

Check if Vulnerable:

Test the /admin/card-bwdates-reports-details.php endpoint with SQL injection payloads in fromdate/todate parameters

Check Version:

Check system documentation or configuration files for version information

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and return appropriate error messages

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin panel followed by report access

Network Indicators:

HTTP requests to /admin/card-bwdates-reports-details.php with suspicious date parameters containing SQL syntax

SIEM Query:

source="web_logs" AND uri="/admin/card-bwdates-reports-details.php" AND (param="fromdate" OR param="todate") AND (value="' OR" OR value="' UNION" OR value="' SELECT")

📊 Metadata

CVE ID: CVE-2024-10296

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: October 23, 2024

Last Updated: July 16, 2025

🔗 References

https://phpgurukul.com/ Product
https://vuldb.com/?ctiid.281563 Permissions Required,VDB Entry
https://vuldb.com/?id.281563 Permissions Required,VDB Entry
https://vuldb.com/?submit.427400 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10296, you might also want to check these: