Login Sign Up

CVE-2024-10609

6.3 MEDIUM
SQL Injection

📋 TL;DR

This critical SQL injection vulnerability in Tailoring Management System Project 1.0 allows remote attackers to execute arbitrary SQL commands via the 'sex' parameter in typeadd.php. This can lead to unauthorized data access, modification, or deletion. Organizations using this specific software version are affected.

💻 Affected Systems

Products:
  • Tailoring Management System Project
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Specifically affects the typeadd.php file with the 'sex' parameter. No authentication required for exploitation.

📦 What is this software?

Tailoring Management System by Angeljudesuarez

View all CVEs affecting Tailoring Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential server takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized access to sensitive customer and business data stored in the database, potentially including personal information and financial records.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available in GitHub issues. SQL injection via GET/POST parameter manipulation is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and parameterized queries as workaround.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to sanitize the 'sex' parameter in typeadd.php

Edit typeadd.php to validate/sanitize input before database queries

Web Application Firewall Rules

all

Block SQL injection patterns targeting the typeadd.php endpoint

Configure WAF to block requests containing SQL keywords to typeadd.php

🧯 If You Can't Patch

  • Isolate the vulnerable system from internet access and restrict to internal network only
  • Implement strict network segmentation and monitor all database access from the application

🔍 How to Verify

Check if Vulnerable:

Check if typeadd.php exists and accepts 'sex' parameter without proper validation

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Test SQL injection attempts against the 'sex' parameter to confirm they are blocked

📡 Detection & Monitoring

Log Indicators:

  • SQL error messages in application logs
  • Unusual database queries from web server IP

Network Indicators:

  • HTTP requests to typeadd.php with SQL keywords in parameters

SIEM Query:

web_access_logs WHERE url LIKE '%typeadd.php%' AND (params CONTAINS 'UNION' OR params CONTAINS 'SELECT' OR params CONTAINS 'OR 1=1')

📊 Metadata

CVE ID: CVE-2024-10609
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: November 1, 2024
Last Updated: November 5, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10609, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)