CVE-2024-12894 – This critical SQL injection vulnerability in Tr... (How to Fix)

Q: What is the severity of CVE-2024-12894?

CVE-2024-12894 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in TreasureHuntGame's TreasureHunt software allows attackers to execute arbitrary SQL commands by manipulating the 'usuario' parameter in the acesso.php file. Attackers can exploit this remotely without authentication, potentially compromising the entire application database. All users running TreasureHunt up to commit 963e0e0 are affected.

📋 TL;DR

This critical SQL injection vulnerability in TreasureHuntGame's TreasureHunt software allows attackers to execute arbitrary SQL commands by manipulating the 'usuario' parameter in the acesso.php file. Attackers can exploit this remotely without authentication, potentially compromising the entire application database. All users running TreasureHunt up to commit 963e0e0 are affected.

💻 Affected Systems

Products:

TreasureHuntGame TreasureHunt

Versions: All versions up to commit 963e0e0

Operating Systems: Any OS running PHP with TreasureHunt installed

Default Config Vulnerable: ⚠️ Yes

Notes: This affects the rolling release version of TreasureHunt. The vulnerability is in the authentication component (acesso.php), making it particularly dangerous as it's at the entry point of the application.

📦 What is this software?

Treasurehunt by Treasurehuntgame

View all CVEs affecting Treasurehunt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized data access, user credential theft, and potential application takeover through administrative account compromise.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and affects a web application component.

🏢 Internal Only: MEDIUM - While still dangerous, internal-only deployments reduce the attack surface compared to internet-facing instances.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are well-understood and easily weaponized. The commit shows the fix involves parameterized queries, indicating classic SQL injection patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 8bcc649abc35b7734951be084bb522a532faac4e and later

Vendor Advisory: https://github.com/TreasureHuntGame/TreasureHunt/commit/8bcc649abc35b7734951be084bb522a532faac4e

Restart Required: No

Instructions:

1. Pull the latest code from the TreasureHunt repository. 2. Verify you have commit 8bcc649abc35b7734951be084bb522a532faac4e or later. 3. Replace the vulnerable acesso.php file with the patched version. 4. No service restart required as PHP files are interpreted on each request.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns in the 'usuario' parameter

Input Validation Filter

all

Add input validation to sanitize the 'usuario' parameter before processing

// PHP example: filter_input(INPUT_POST, 'usuario', FILTER_SANITIZE_STRING);

🧯 If You Can't Patch

Implement a web application firewall (WAF) with SQL injection detection rules
Restrict database user permissions to minimum required privileges

🔍 How to Verify

Check if Vulnerable:

Check if your TreasureHunt installation includes commit 963e0e0 or earlier in git history: git log --oneline | grep -E '963e0e0|8bcc649'

Check Version:

git log --oneline -1

Verify Fix Applied:

Verify the current commit includes 8bcc649abc35b7734951be084bb522a532faac4e: git log --oneline -1

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed login attempts with SQL syntax in username field
Database query errors containing unusual characters

Network Indicators:

HTTP POST requests to acesso.php with SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source="*access.log*" AND "acesso.php" AND ("usuario=*'*" OR "usuario=*%27*" OR "usuario=*SELECT*" OR "usuario=*UNION*")

📊 Metadata

CVE ID: CVE-2024-12894

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: December 22, 2024

Last Updated: January 10, 2025

🔗 References

https://github.com/TreasureHuntGame/TreasureHunt/commit/8bcc649abc35b7734951be084bb522a532faac4e Patch
https://vuldb.com/?ctiid.289164 Permissions Required,VDB Entry
https://vuldb.com/?id.289164 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12894, you might also want to check these: