CVE-2024-10990 – This critical SQL injection vulnerability in So... (How to Fix)

Q: What is the severity of CVE-2024-10990?

CVE-2024-10990 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in SourceCodester Online Veterinary Appointment System 1.0 allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in /admin/services/view_service.php. Attackers can potentially access, modify, or delete database content. All deployments of version 1.0 are affected.

📋 TL;DR

This critical SQL injection vulnerability in SourceCodester Online Veterinary Appointment System 1.0 allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in /admin/services/view_service.php. Attackers can potentially access, modify, or delete database content. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

SourceCodester Online Veterinary Appointment System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation and requires no special configuration to be exploitable.

📦 What is this software?

Online Veterinary Appointment System by Oretnom23

View all CVEs affecting Online Veterinary Appointment System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including credential theft, data exfiltration, privilege escalation to admin, and potential system takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized data access and manipulation of veterinary appointment records, client information, and potentially admin credentials stored in the database.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires admin access to reach the vulnerable endpoint, but SQL injection techniques are well-documented and easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries or input validation in the affected PHP file.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add input validation to sanitize the 'id' parameter before processing SQL queries

Modify /admin/services/view_service.php to use prepared statements with parameterized queries

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint

Configure WAF to block requests containing SQL injection patterns to /admin/services/view_service.php

🧯 If You Can't Patch

Restrict network access to the admin interface using firewall rules or network segmentation
Implement strong authentication and monitor admin access logs for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Test the /admin/services/view_service.php endpoint with SQL injection payloads in the 'id' parameter (e.g., id=1' OR '1'='1)

Check Version:

Check the system version in the admin panel or review the software documentation

Verify Fix Applied:

Test with the same SQL injection payloads after implementing fixes; successful queries should return errors or no data

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts followed by admin access
Unusual database queries from the application server

Network Indicators:

HTTP requests to /admin/services/view_service.php with SQL keywords in parameters
Unusual outbound database connections from the web server

SIEM Query:

source="web_logs" AND uri="/admin/services/view_service.php" AND (param="id" AND value MATCH "[';]|UNION|SELECT|INSERT|UPDATE|DELETE|DROP|OR\s+1=1")

📊 Metadata

CVE ID: CVE-2024-10990

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: November 8, 2024

Last Updated: November 18, 2024

🔗 References

https://github.com/AspirePig/Cve_report/blob/main/online-veterinary-appointment-system/SQLi-1.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.283456 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.283456 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.437383 Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10990, you might also want to check these: