CVE-2024-10417 – CVE-2024-10417 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2024-10417?

CVE-2024-10417 has a CVSS score of 6.3 (MEDIUM). CVE-2024-10417 is a critical SQL injection vulnerability in the Blood Bank Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the 'bid' parameter in /file/delete.php. This affects all organizations using this specific version of the software, potentially exposing sensitive blood bank data including donor information, inventory records, and patient data.

📋 TL;DR

CVE-2024-10417 is a critical SQL injection vulnerability in the Blood Bank Management System 1.0 that allows remote attackers to execute arbitrary SQL commands via the 'bid' parameter in /file/delete.php. This affects all organizations using this specific version of the software, potentially exposing sensitive blood bank data including donor information, inventory records, and patient data.

💻 Affected Systems

Products:

Blood Bank Management System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific version 1.0 of the Blood Bank Management System from code-projects.org. The vulnerability exists in the default installation.

📦 What is this software?

Blood Bank Management System by Fabian

View all CVEs affecting Blood Bank Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, data manipulation, or deletion of all blood bank records, potentially disrupting critical healthcare operations and exposing sensitive medical information.

🟠

Likely Case

Unauthorized access to sensitive blood bank data including donor personal information, blood inventory records, and patient data, with potential for data exfiltration or manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing information disclosure from accessible database tables.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects a web application component, making internet-facing instances particularly vulnerable to widespread attacks.

🏢 Internal Only: MEDIUM - While less exposed than internet-facing systems, internal instances remain vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available in the GitHub gist reference. The vulnerability requires minimal technical skill to exploit due to straightforward SQL injection via URL parameter manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch is available. Check the vendor website for updates. Consider implementing input validation and parameterized queries as immediate mitigation.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to sanitize the 'bid' parameter in /file/delete.php to only accept expected data types and ranges.

Modify /file/delete.php to validate bid parameter using PHP filter functions or regex patterns

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns targeting the /file/delete.php endpoint.

Add WAF rule: block requests to /file/delete.php containing SQL keywords in bid parameter

🧯 If You Can't Patch

Isolate the Blood Bank Management System from internet access and restrict network access to authorized users only.
Implement database-level controls including minimal privilege accounts, query logging, and regular database activity monitoring.

🔍 How to Verify

Check if Vulnerable:

Test the /file/delete.php endpoint with SQL injection payloads in the bid parameter (e.g., /file/delete.php?bid=1' OR '1'='1). Monitor for database errors or unexpected responses.

Check Version:

Check the software version in the application interface or configuration files. The vulnerable version is specifically 1.0.

Verify Fix Applied:

Attempt the same SQL injection tests after implementing fixes. Verify that input validation rejects malicious payloads and parameterized queries prevent SQL execution.

📡 Detection & Monitoring

Log Indicators:

Unusual database queries originating from web server, SQL syntax errors in application logs, multiple failed delete operations with malformed bid parameters

Network Indicators:

HTTP requests to /file/delete.php containing SQL keywords (UNION, SELECT, INSERT, etc.) in URL parameters

SIEM Query:

source="web_logs" AND uri_path="/file/delete.php" AND (query_string="*UNION*" OR query_string="*SELECT*" OR query_string="*INSERT*")

📊 Metadata

CVE ID: CVE-2024-10417

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: October 27, 2024

Last Updated: October 23, 2025

🔗 References

https://code-projects.org/ Product
https://gist.github.com/higordiego/bf0cf963ec56cfe0dcaba2956352bafd Exploit,Third Party Advisory
https://vuldb.com/?ctiid.281958 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.281958 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.431781 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10417, you might also want to check these: