CVE-2024-12784 – This critical SQL injection vulnerability in Ve... (How to Fix)

Q: What is the severity of CVE-2024-12784?

CVE-2024-12784 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in Vehicle Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in editbill.php. Attackers can potentially access, modify, or delete database content. All deployments of this software are affected.

📋 TL;DR

This critical SQL injection vulnerability in Vehicle Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in editbill.php. Attackers can potentially access, modify, or delete database content. All deployments of this software are affected.

💻 Affected Systems

Products:

itsourcecode Vehicle Management System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Any deployment with editbill.php accessible is vulnerable. The software appears to be a custom PHP application.

📦 What is this software?

Vehicle Management System by Admerc

View all CVEs affecting Vehicle Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, authentication bypass, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access and modification, potentially leading to data integrity issues and information disclosure.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to specific tables.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit details exist.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to authenticated or network-accessible attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available in PDF format. Attack requires access to the editbill.php endpoint, which may require authentication depending on implementation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries or input validation in editbill.php. Replace raw SQL queries with prepared statements.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the 'id' parameter before processing

// In editbill.php, add: $id = filter_var($_GET['id'], FILTER_VALIDATE_INT); if (!$id) { die('Invalid input'); }

Web Application Firewall Rule

all

Block SQL injection patterns targeting editbill.php

ModSecurity rule: SecRule REQUEST_URI "@contains editbill.php" "id:1001,phase:2,deny,msg:'SQLi attempt on editbill.php'"

🧯 If You Can't Patch

Restrict network access to the Vehicle Management System using firewall rules
Implement database user with minimal permissions (read-only if possible)

🔍 How to Verify

Check if Vulnerable:

Test editbill.php with SQL injection payloads like: editbill.php?id=1' OR '1'='1

Check Version:

Check PHP files for version comments or review application documentation

Verify Fix Applied:

Attempt SQL injection tests and verify they are blocked or produce error messages without database interaction

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple requests to editbill.php with SQL-like parameters
Database query errors containing single quotes or SQL keywords

Network Indicators:

HTTP requests to editbill.php containing SQL injection patterns
Unusual database traffic from web server

SIEM Query:

source="web_logs" AND uri="*editbill.php*" AND (query="*' OR*" OR query="*UNION*" OR query="*SELECT*" OR query="*--*" OR query="*;*" OR query="*/*")

📊 Metadata

CVE ID: CVE-2024-12784

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: December 19, 2024

Last Updated: December 22, 2025

🔗 References

https://github.com/FinleyTang/Vehicle-Management-System/blob/main/Vehicle%20Management%20System%20editbill.php%20has%20Sqlinjection.pdf Exploit,Third Party Advisory
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.288960 Permissions Required,VDB Entry
https://vuldb.com/?id.288960 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.462629 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12784, you might also want to check these: