Login Sign Up

CVE-2024-12967

7.3 HIGH
SQL Injection

📋 TL;DR

A critical SQL injection vulnerability in code-projects Job Recruitment 1.0 allows attackers to manipulate database queries through the fname/lname parameters in the fln_update function. This enables unauthorized data access, modification, or deletion. All installations of Job Recruitment 1.0 with the vulnerable file are affected.

💻 Affected Systems

Products:
  • code-projects Job Recruitment
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any installation with the vulnerable /_parse/_all_edits.php file accessible via web.

📦 What is this software?

Job Recruitment by Code Projects

View all CVEs affecting Job Recruitment →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized access to sensitive job applicant data, user credentials, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit available on GitHub, remote exploitation possible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider replacing with alternative software or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation to reject SQL special characters in fname/lname parameters.

Edit /_parse/_all_edits.php to sanitize inputs before SQL query execution.

File Access Restriction

linux

Block direct access to the vulnerable PHP file via web server configuration.

Add 'Deny from all' to .htaccess for /_parse/ directory (Apache)
Use location block to deny access in nginx config

🧯 If You Can't Patch

  • Implement WAF rules to block SQL injection patterns targeting fname/lname parameters.
  • Restrict database user permissions to minimum required operations.

🔍 How to Verify

Check if Vulnerable:

Check if /_parse/_all_edits.php exists and contains unsanitized fname/lname parameters in SQL queries.

Check Version:

Check software version in admin panel or readme files.

Verify Fix Applied:

Test with SQL injection payloads in fname/lname parameters to confirm they're properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple requests to /_parse/_all_edits.php with special characters

Network Indicators:

  • HTTP POST requests to vulnerable endpoint with SQL keywords in parameters

SIEM Query:

source="web_logs" AND uri="/_parse/_all_edits.php" AND (param="fname" OR param="lname") AND (content="UNION" OR content="SELECT" OR content="INSERT" OR content="DELETE")

📊 Metadata

CVE ID: CVE-2024-12967
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
Published: December 26, 2024
Last Updated: April 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12967, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)