Login Sign Up

CVE-2024-10969

7.3 HIGH
SQL Injection Authentication Bypass

📋 TL;DR

This critical SQL injection vulnerability in the Bookstore Management System 1.0 allows attackers to manipulate login credentials to execute arbitrary SQL commands. It affects the admin login functionality and can be exploited remotely without authentication. Organizations using this software are at risk of data breaches and system compromise.

💻 Affected Systems

Products:
  • 1000 Projects Bookstore Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the /admin/login_process.php file specifically. Any deployment with this file accessible is vulnerable.

📦 What is this software?

Bookstore Management System by 1000projects

View all CVEs affecting Bookstore Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation to admin, and potential remote code execution on the server.

🟠

Likely Case

Unauthorized access to admin panel, extraction of sensitive user data (credentials, personal information), and potential system takeover.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or failed login attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub and vuldb. SQL injection via unm/pwd parameters is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://1000projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to a supported alternative or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameterized queries or input sanitization to login_process.php

Modify /admin/login_process.php to use prepared statements with PDO or mysqli

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Add WAF rule: deny requests with SQL keywords in unm/pwd parameters

🧯 If You Can't Patch

  • Isolate the system from internet access and restrict to internal network only
  • Implement strict network segmentation and monitor all access to /admin/login_process.php

🔍 How to Verify

Check if Vulnerable:

Test login with SQL injection payloads like ' OR '1'='1 in username/password fields

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection attempts return proper error handling or fail authentication

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in web server logs
  • Multiple failed login attempts with SQL patterns

Network Indicators:

  • HTTP POST requests to /admin/login_process.php with SQL keywords

SIEM Query:

source="web_logs" AND uri="/admin/login_process.php" AND (request CONTAINS "OR" OR request CONTAINS "UNION" OR request CONTAINS "SELECT")

📊 Metadata

CVE ID: CVE-2024-10969
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
Published: November 7, 2024
Last Updated: September 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10969, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)