Login Sign Up

CVE-2024-12926

6.3 MEDIUM
SQL Injection

📋 TL;DR

This critical SQL injection vulnerability in Codezips Project Management System 1.0 allows attackers to execute arbitrary SQL commands via the 'name' parameter in the /pages/forms/advanced.php file. Remote attackers can potentially access, modify, or delete database content. All users running the vulnerable version are affected.

💻 Affected Systems

Products:
  • Codezips Project Management System
Versions: 1.0
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation. Other parameters beyond 'name' may also be vulnerable.

📦 What is this software?

Project Management System by Codezips

View all CVEs affecting Project Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to the application's data scope.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code is available, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the 'name' parameter and other user inputs in advanced.php

Edit /pages/forms/advanced.php to add parameter validation using prepared statements or proper escaping

Web Application Firewall

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint

Configure WAF to block requests containing SQL keywords targeting /pages/forms/advanced.php

🧯 If You Can't Patch

  • Restrict network access to the application using firewall rules to allow only trusted IPs
  • Implement database-level controls with minimal privileges for the application user

🔍 How to Verify

Check if Vulnerable:

Test the /pages/forms/advanced.php endpoint with SQL injection payloads in the 'name' parameter

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that input validation is properly implemented

📡 Detection & Monitoring

Log Indicators:

  • SQL error messages in application logs
  • Unusual database queries from web server IP
  • Multiple failed parameter manipulation attempts

Network Indicators:

  • HTTP requests to /pages/forms/advanced.php containing SQL keywords
  • Unusual database traffic patterns

SIEM Query:

source="web_logs" AND uri="/pages/forms/advanced.php" AND (payload="UNION" OR payload="SELECT" OR payload="INSERT" OR payload="DELETE")

📊 Metadata

CVE ID: CVE-2024-12926
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
Published: December 25, 2024
Last Updated: April 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12926, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)