Login Sign Up

CVE-2024-12969

7.3 HIGH
SQL Injection Authentication Bypass

📋 TL;DR

This critical SQL injection vulnerability in Hospital Management System 1.0 allows attackers to execute arbitrary SQL commands through the login page. Remote attackers can potentially bypass authentication, access sensitive patient data, or compromise the database server. Any organization using the vulnerable version of this software is affected.

💻 Affected Systems

Products:
  • code-projects Hospital Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the /admin/index.php login component specifically. All installations of version 1.0 are vulnerable.

📦 What is this software?

Hospital Management System by Fabian

View all CVEs affecting Hospital Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to patient data exfiltration, system takeover, ransomware deployment, or destruction of medical records.

🟠

Likely Case

Authentication bypass allowing unauthorized access to hospital management system, patient data theft, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper network segmentation, WAF protection, and database user privilege restrictions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit available on GitHub. SQL injection in login page requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for updates. 2. If no patch available, implement workarounds. 3. Consider replacing with alternative software.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection rules to block exploitation attempts

Input Validation

all

Add parameterized queries and input sanitization to /admin/index.php

Replace raw SQL queries with prepared statements in PHP code

🧯 If You Can't Patch

  • Isolate system on internal network with no internet access
  • Implement strict network segmentation and firewall rules

🔍 How to Verify

Check if Vulnerable:

Test login page with SQL injection payloads like ' OR '1'='1 in username/password fields

Check Version:

Check software version in admin panel or readme files

Verify Fix Applied:

Attempt SQL injection after implementing fixes and verify login fails with malicious input

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts with SQL syntax
  • Unusual database queries from web server
  • Login attempts with special characters like quotes, semicolons

Network Indicators:

  • HTTP POST requests to /admin/index.php with SQL payloads
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="/admin/index.php" AND (request_body CONTAINS "' OR" OR request_body CONTAINS "UNION SELECT" OR request_body CONTAINS "--")

📊 Metadata

CVE ID: CVE-2024-12969
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
Published: December 26, 2024
Last Updated: October 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12969, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)