CVE-2024-10300 – This critical SQL injection vulnerability in PH... (How to Fix)

Q: What is the severity of CVE-2024-10300?

CVE-2024-10300 has a CVSS score of 4.7 (MEDIUM). This critical SQL injection vulnerability in PHPGurukul Medical Card Generation System 1.0 allows attackers to manipulate database queries through the viewid parameter on the admin view-enquiry.php page. Attackers can potentially read, modify, or delete database content. All installations of version 1.0 with the vulnerable component exposed are affected.

📋 TL;DR

This critical SQL injection vulnerability in PHPGurukul Medical Card Generation System 1.0 allows attackers to manipulate database queries through the viewid parameter on the admin view-enquiry.php page. Attackers can potentially read, modify, or delete database content. All installations of version 1.0 with the vulnerable component exposed are affected.

💻 Affected Systems

Products:

PHPGurukul Medical Card Generation System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the /admin/view-enquiry.php component to be accessible. Default installations are vulnerable.

📦 What is this software?

Medical Card Generation System by Phpgurukul

View all CVEs affecting Medical Card Generation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive medical data theft, authentication bypass, remote code execution, or system takeover.

🟠

Likely Case

Unauthorized data access and extraction of sensitive information from the database, potentially including patient records and administrative credentials.

🟢

If Mitigated

Limited impact due to proper input validation, parameterized queries, and database permissions restricting unauthorized access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires admin access to reach the vulnerable page. SQL injection techniques are well-documented and easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://phpgurukul.com/

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries in /admin/view-enquiry.php, validate and sanitize viewid input, and apply proper input validation.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to ensure viewid parameter contains only expected values (e.g., numeric IDs)

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting the /admin/view-enquiry.php endpoint

🧯 If You Can't Patch

Restrict access to /admin/ directory to trusted IP addresses only
Implement database user with minimal permissions (read-only if possible) for the application

🔍 How to Verify

Check if Vulnerable:

Test the /admin/view-enquiry.php endpoint with SQL injection payloads in the viewid parameter (e.g., viewid=1' OR '1'='1)

Check Version:

Check application files or documentation for version information

Verify Fix Applied:

Verify that SQL injection payloads no longer produce database errors or unexpected behavior

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by access to /admin/view-enquiry.php
HTTP requests with SQL keywords in viewid parameter

Network Indicators:

HTTP POST/GET requests to /admin/view-enquiry.php containing SQL injection patterns

SIEM Query:

source="web_logs" AND uri="/admin/view-enquiry.php" AND (query_string CONTAINS "UNION" OR query_string CONTAINS "SELECT" OR query_string CONTAINS "OR '1'='1'")

📊 Metadata

CVE ID: CVE-2024-10300

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: October 23, 2024

Last Updated: October 25, 2024

🔗 References

https://phpgurukul.com/ Product
https://vuldb.com/?ctiid.281567 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.281567 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.427404 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10300, you might also want to check these: