CVE-2024-12929 – This critical SQL injection vulnerability in St... (How to Fix)

Q: What is the severity of CVE-2024-12929?

CVE-2024-12929 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in Student Management System 1.0.00 allows remote attackers to manipulate database queries via the 'size' parameter in /addCatController.php. Organizations using this specific version are affected and could have their student data compromised. The vulnerability enables unauthorized database access and potential data exfiltration.

📋 TL;DR

This critical SQL injection vulnerability in Student Management System 1.0.00 allows remote attackers to manipulate database queries via the 'size' parameter in /addCatController.php. Organizations using this specific version are affected and could have their student data compromised. The vulnerability enables unauthorized database access and potential data exfiltration.

💻 Affected Systems

Products:

Student Management System

Versions: 1.0.00

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific version 1.0.00; requires PHP environment with database connectivity.

📦 What is this software?

Student Management System by Code Projects

View all CVEs affecting Student Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or complete system takeover through privilege escalation.

🟠

Likely Case

Unauthorized access to student records, grades, personal information, and potential manipulation of academic data.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available; SQL injection via size parameter requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for updates 2. If no patch available, implement workarounds 3. Consider migrating to alternative software

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameter validation and sanitization for the 'size' parameter in addCatController.php

Modify PHP code to validate and sanitize user input using prepared statements or parameterized queries

Web Application Firewall Rules

all

Block SQL injection patterns targeting the /addCatController.php endpoint

Configure WAF to block requests containing SQL keywords when targeting /addCatController.php

🧯 If You Can't Patch

Isolate the system from internet access and restrict to internal network only
Implement strict network segmentation and monitor all database queries from the application

🔍 How to Verify

Check if Vulnerable:

Check if running Student Management System version 1.0.00 and examine /addCatController.php for unsanitized 'size' parameter usage

Check Version:

Check application files or documentation for version information

Verify Fix Applied:

Test the 'size' parameter with SQL injection payloads; successful queries should be blocked or sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from web application
Multiple failed SQL queries with injection patterns
Unexpected database errors in application logs

Network Indicators:

HTTP POST requests to /addCatController.php containing SQL keywords in parameters
Unusual database traffic patterns

SIEM Query:

source="web_logs" AND uri="/addCatController.php" AND (param="size" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "INSERT")

📊 Metadata

CVE ID: CVE-2024-12929

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: December 26, 2024

Last Updated: April 3, 2025

🔗 References

https://code-projects.org/ Product
https://vuldb.com/?ctiid.289282 Permissions Required,VDB Entry
https://vuldb.com/?id.289282 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.468120 Third Party Advisory,VDB Entry
https://code-projects.org/student-management-system-using-php-source-code/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12929, you might also want to check these: