Login Sign Up

CVE-2024-10700

6.3 MEDIUM
SQL Injection

📋 TL;DR

This critical SQL injection vulnerability in University Event Management System 1.0 allows attackers to manipulate database queries through the submit.php file. Remote attackers can potentially access, modify, or delete sensitive data in the database. Organizations using this software are affected.

💻 Affected Systems

Products:
  • University Event Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects submit.php file with multiple parameters (name, email, title, Year, gender, fromdate, todate, people) vulnerable to SQL injection.

📦 What is this software?

University Event Management System by Anisha

View all CVEs affecting University Event Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential system takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized access to sensitive event data, user information, and potential database manipulation or deletion.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or minor data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details publicly available on GitHub, remote attack vector, no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries and input validation in submit.php.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for all parameters in submit.php

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting submit.php parameters

🧯 If You Can't Patch

  • Isolate the system from internet access and restrict to internal network only
  • Implement strict network segmentation and monitor all database access attempts

🔍 How to Verify

Check if Vulnerable:

Test submit.php with SQL injection payloads in name/email/title/Year/gender/fromdate/todate/people parameters

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Verify parameterized queries are implemented and test with SQL injection payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts after SQL injection attempts
  • Error messages containing SQL syntax in web logs

Network Indicators:

  • Unusual POST requests to submit.php with SQL keywords
  • Multiple parameter manipulation attempts

SIEM Query:

source="web_logs" AND uri="/submit.php" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "INSERT" OR request_body CONTAINS "DELETE")

📊 Metadata

CVE ID: CVE-2024-10700
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
Published: November 2, 2024
Last Updated: November 5, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10700, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)