CVE-2024-10336 – This critical SQL injection vulnerability in So... (How to Fix)

Q: What is the severity of CVE-2024-10336?

CVE-2024-10336 has a CVSS score of 7.3 (HIGH). This critical SQL injection vulnerability in SourceCodeHero Clothes Recommendation System 1.0 allows attackers to execute arbitrary SQL commands via the 't1' parameter on the admin login page. Attackers can potentially bypass authentication, access sensitive data, or compromise the database. All installations of version 1.0 with the vulnerable component exposed are affected.

📋 TL;DR

This critical SQL injection vulnerability in SourceCodeHero Clothes Recommendation System 1.0 allows attackers to execute arbitrary SQL commands via the 't1' parameter on the admin login page. Attackers can potentially bypass authentication, access sensitive data, or compromise the database. All installations of version 1.0 with the vulnerable component exposed are affected.

💻 Affected Systems

Products:

SourceCodeHero Clothes Recommendation System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with the admin login page accessible. The vulnerability is in the default configuration.

📦 What is this software?

Clothes Recommendation System by Clothes Recommendation System Project

View all CVEs affecting Clothes Recommendation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Authentication bypass allowing unauthorized admin access, followed by data exfiltration or system manipulation.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation preventing exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on vuldb.com. SQL injection via GET/POST parameter manipulation is well-understood and easily automated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and parameterized queries in /admin/index.php, or replace with a secure alternative system.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection rules to block malicious requests to /admin/index.php

Access Restriction

linux

Restrict access to /admin/ directory to trusted IP addresses only

# Apache: 
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
# Nginx: 
location /admin/ {
    allow 192.168.1.0/24;
    deny all;
}

🧯 If You Can't Patch

Isolate the system from the internet and restrict network access to necessary connections only
Implement strict input validation and parameterized queries in the vulnerable PHP file

🔍 How to Verify

Check if Vulnerable:

Test the /admin/index.php endpoint with SQL injection payloads in the 't1' parameter and observe database errors or unexpected behavior

Check Version:

Check the software version in the application interface or configuration files

Verify Fix Applied:

Attempt SQL injection attacks against the patched endpoint and confirm they are blocked or properly handled

📡 Detection & Monitoring

Log Indicators:

Unusual SQL syntax in access logs for /admin/index.php
Multiple failed login attempts followed by successful admin access
Database error messages in application logs

Network Indicators:

HTTP requests to /admin/index.php containing SQL keywords (UNION, SELECT, INSERT, etc.) in parameters
Unexpected database connections from web server

SIEM Query:

source="web_access_logs" AND uri="/admin/index.php" AND (param="t1" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|--|#|;)")

📊 Metadata

CVE ID: CVE-2024-10336

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: October 24, 2024

Last Updated: October 28, 2024

🔗 References

https://vuldb.com/?ctiid.281681 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.281681 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.427442 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10336, you might also want to check these: