CVE-2024-12945 – A critical SQL injection vulnerability in Simpl... (How to Fix)

Q: What is the severity of CVE-2024-12945?

CVE-2024-12945 has a CVSS score of 7.3 (HIGH). A critical SQL injection vulnerability in Simple Car Rental System 1.0 allows attackers to execute arbitrary SQL commands via the email/pass parameters in account.php. This affects all deployments of this software version. Remote attackers can potentially access, modify, or delete database contents.

📋 TL;DR

A critical SQL injection vulnerability in Simple Car Rental System 1.0 allows attackers to execute arbitrary SQL commands via the email/pass parameters in account.php. This affects all deployments of this software version. Remote attackers can potentially access, modify, or delete database contents.

💻 Affected Systems

Products:

Simple Car Rental System

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. The vulnerability exists in the default code without requiring special configuration.

📦 What is this software?

Simple Car Rental System by Code Projects

View all CVEs affecting Simple Car Rental System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, privilege escalation, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized access to sensitive data including user credentials, personal information, and rental records.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via account.php which is typically internet-facing for web applications.

🏢 Internal Only: MEDIUM - Internal systems could still be targeted via phishing or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. SQL injection via login parameters is a well-understood attack vector with many automated tools available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for updated version. 2. If no patch available, implement parameterized queries in account.php. 3. Replace direct user input concatenation with prepared statements. 4. Validate and sanitize all email and password inputs.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious requests.

Input Validation Filter

linux

Add input validation to reject SQL special characters in email and password fields.

Add PHP validation: if(preg_match('/[\'"\;\-\-]/', $input)) { reject input; }

🧯 If You Can't Patch

Isolate the system behind a reverse proxy with strict input filtering
Implement network segmentation to limit database access from the web server

🔍 How to Verify

Check if Vulnerable:

Test account.php with SQL injection payloads like ' OR '1'='1 in email/password fields and observe database errors or unexpected behavior.

Check Version:

Check PHP files for version comments or compare file hashes with known vulnerable version.

Verify Fix Applied:

Attempt SQL injection tests after fixes. Successful fixes should return generic login failure messages without database errors.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL syntax in URL parameters
Multiple failed login attempts with SQL patterns
Database error messages in web server logs

Network Indicators:

HTTP POST requests to account.php containing SQL keywords like UNION, SELECT, OR, --

SIEM Query:

source="web_logs" url="*account.php*" ("' OR" OR "UNION SELECT" OR ";--" OR "1=1")

📊 Metadata

CVE ID: CVE-2024-12945

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: December 26, 2024

Last Updated: April 3, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/Wind-liberty/CVE/issues/3 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.289306 Permissions Required,VDB Entry
https://vuldb.com/?id.289306 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.468378 Third Party Advisory,VDB Entry
https://github.com/Wind-liberty/CVE/issues/3 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12945, you might also want to check these: