Login Sign Up

CVE-2024-12785

6.3 MEDIUM
SQL Injection

📋 TL;DR

This critical SQL injection vulnerability in itsourcecode Vehicle Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in sendmail.php. This could lead to unauthorized data access, modification, or deletion. All deployments of Vehicle Management System 1.0 with the vulnerable sendmail.php file are affected.

💻 Affected Systems

Products:
  • itsourcecode Vehicle Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations using the default sendmail.php file. No specific OS requirements.

📦 What is this software?

Vehicle Management System by Angeljudesuarez

View all CVEs affecting Vehicle Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive data exfiltration, authentication bypass, remote code execution via database functions, and system takeover.

🟠

Likely Case

Unauthorized access to vehicle management data, customer information theft, and potential data manipulation affecting business operations.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or limited data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit documentation exists. SQL injection via GET/POST parameters requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

1. Check vendor website for updates. 2. If no patch available, implement workarounds. 3. Consider replacing with supported software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameter validation and sanitization to sendmail.php to prevent SQL injection

Modify sendmail.php to use prepared statements with parameterized queries

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to block requests containing SQL keywords in id parameter

🧯 If You Can't Patch

  • Restrict network access to the application using firewall rules
  • Implement database-level controls with minimal required permissions

🔍 How to Verify

Check if Vulnerable:

Test sendmail.php with SQL injection payloads in id parameter (e.g., id=1' OR '1'='1)

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return proper error handling

📡 Detection & Monitoring

Log Indicators:

  • Unusual database queries from web server
  • SQL syntax errors in application logs
  • Multiple failed parameter validation attempts

Network Indicators:

  • HTTP requests with SQL keywords in parameters
  • Unusual database connection patterns from web server

SIEM Query:

web.url:*sendmail.php* AND (web.param.id:*OR* OR web.param.id:*UNION* OR web.param.id:*SELECT*)

📊 Metadata

CVE ID: CVE-2024-12785
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
Published: December 19, 2024
Last Updated: February 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12785, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)