Login Sign Up

CVE-2024-12936

6.3 MEDIUM
SQL Injection

📋 TL;DR

This critical SQL injection vulnerability in Simple Admin Panel 1.0 allows remote attackers to execute arbitrary SQL commands via the record parameter in catDeleteController.php. Attackers can potentially read, modify, or delete database content. All users running Simple Admin Panel 1.0 are affected.

💻 Affected Systems

Products:
  • Simple Admin Panel
Versions: 1.0
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the catDeleteController.php file specifically. Requires PHP environment.

📦 What is this software?

Simple Admin Panel by Code Projects

View all CVEs affecting Simple Admin Panel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection remains dangerous.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit disclosed publicly, SQL injection is well-understood and easily weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider manual code fixes or alternative solutions.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Manually modify catDeleteController.php to implement proper input validation and use prepared statements.

Edit catDeleteController.php to replace raw SQL with parameterized queries using PDO or mysqli prepared statements.

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the record parameter.

Configure WAF to block SQL injection patterns in POST/GET parameters, particularly targeting record parameter.

🧯 If You Can't Patch

  • Isolate the vulnerable system from internet access and restrict to internal network only.
  • Implement strict network segmentation and monitor all database access from the application server.

🔍 How to Verify

Check if Vulnerable:

Check if catDeleteController.php exists and contains unsanitized record parameter usage in SQL queries.

Check Version:

Check version in application files or documentation; this is version 1.0 only.

Verify Fix Applied:

Verify that catDeleteController.php uses parameterized queries and validates the record parameter.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts or parameter manipulation in web logs

Network Indicators:

  • SQL error messages in HTTP responses
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (uri="*catDeleteController.php*" AND (param="*record*" AND value="*' OR *"))

📊 Metadata

CVE ID: CVE-2024-12936
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
Published: December 26, 2024
Last Updated: April 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12936, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)