Login Sign Up

CVE-2024-10702

7.3 HIGH
SQL Injection Authentication Bypass

📋 TL;DR

This critical SQL injection vulnerability in Simple Car Rental System 1.0 allows remote attackers to execute arbitrary SQL commands via the fname parameter in signup.php. Attackers can potentially access, modify, or delete database contents. All users running the vulnerable version are affected.

💻 Affected Systems

Products:
  • Simple Car Rental System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web application component specifically at /signup.php endpoint.

📦 What is this software?

Simple Car Rental System by Fabian

View all CVEs affecting Simple Car Rental System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, authentication bypass, and potential remote code execution if database functions allow it.

🟠

Likely Case

Data exfiltration of user information, rental records, and potentially administrative credentials stored in the database.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or partial data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available and SQL injection is a well-understood attack vector with many automated tools available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing custom fixes with parameterized queries.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to sanitize fname parameter before processing

Implement PHP filter_var() or custom regex validation for fname parameter

WAF Rule

all

Deploy web application firewall rules to block SQL injection patterns

Configure WAF to detect and block SQL injection attempts on /signup.php

🧯 If You Can't Patch

  • Disable or restrict access to /signup.php endpoint if user registration is not required
  • Implement network segmentation to isolate the vulnerable system from sensitive data

🔍 How to Verify

Check if Vulnerable:

Test /signup.php endpoint with SQL injection payloads in fname parameter and observe database errors or unexpected behavior

Check Version:

Check application version in admin panel or source code comments

Verify Fix Applied:

Attempt SQL injection after fixes and verify proper error handling and no database interaction with malicious input

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed signup attempts with special characters
  • Database query errors containing fname parameter

Network Indicators:

  • HTTP POST requests to /signup.php containing SQL keywords (UNION, SELECT, etc.) in parameters
  • Abnormal traffic patterns to registration endpoint

SIEM Query:

source="web_logs" AND uri_path="/signup.php" AND (param_fname CONTAINS "'" OR param_fname CONTAINS "--" OR param_fname CONTAINS "UNION")

📊 Metadata

CVE ID: CVE-2024-10702
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: November 2, 2024
Last Updated: October 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10702, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)