CVE-2024-12360 – This critical SQL injection vulnerability in On... (How to Fix)

Q: What is the severity of CVE-2024-12360?

CVE-2024-12360 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in Online Class and Exam Scheduling System 1.0 allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in class_update.php. This can lead to unauthorized database access, data theft, or system compromise. All deployments of version 1.0 are affected.

📋 TL;DR

This critical SQL injection vulnerability in Online Class and Exam Scheduling System 1.0 allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in class_update.php. This can lead to unauthorized database access, data theft, or system compromise. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

Online Class and Exam Scheduling System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Online Class And Exam Scheduling System by Online Class And Exam Scheduling System Project

View all CVEs affecting Online Class And Exam Scheduling System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive student/teacher data exfiltration, authentication bypass, remote code execution, or complete system takeover.

🟠

Likely Case

Unauthorized data access and modification, potential credential theft, and privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and WAF rules blocking SQL injection patterns.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal deployments are vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available in GitHub repositories. SQL injection via 'id' parameter is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameterized queries and input validation to class_update.php to sanitize the 'id' parameter.

Modify class_update.php to use prepared statements: $stmt = $conn->prepare('UPDATE classes SET ... WHERE id = ?'); $stmt->bind_param('i', $_POST['id']);

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns targeting the class_update.php endpoint.

Add WAF rule: SecRule ARGS:id "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt detected'"

🧯 If You Can't Patch

Isolate the system behind a reverse proxy with strict input validation
Implement network segmentation and restrict access to only authorized users

🔍 How to Verify

Check if Vulnerable:

Test the class_update.php endpoint with SQL injection payloads in the 'id' parameter (e.g., id=1' OR '1'='1).

Check Version:

Check the software version in the application interface or configuration files.

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return proper error handling.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed parameter validation attempts on class_update.php
Suspicious database queries from web server IP

Network Indicators:

HTTP POST requests to class_update.php with SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="*class_update.php*" AND (param="*id=*'*" OR param="*id=* OR *" OR param="*id=* UNION *")

📊 Metadata

CVE ID: CVE-2024-12360

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: December 9, 2024

Last Updated: December 10, 2024

🔗 References

https://code-projects.org/ Product
https://github.com/bjtyyy/CVE/blob/main/Online%20Class%20and%20Exam%20Scheduling%20System.docx Exploit,Third Party Advisory
https://vuldb.com/?ctiid.287279 Permissions Required,VDB Entry
https://vuldb.com/?id.287279 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.458891 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12360, you might also want to check these: