CVE-2024-12978 – This critical SQL injection vulnerability in Jo... (How to Fix)

Q: What is the severity of CVE-2024-12978?

CVE-2024-12978 has a CVSS score of 7.3 (HIGH). This critical SQL injection vulnerability in Job Recruitment 1.0 allows remote attackers to execute arbitrary SQL commands via the jid/limit parameters in the add_req function. Attackers can potentially read, modify, or delete database content, including sensitive user data. All deployments of Job Recruitment 1.0 with the vulnerable /_parse/_all_edits.php file are affected.

📋 TL;DR

This critical SQL injection vulnerability in Job Recruitment 1.0 allows remote attackers to execute arbitrary SQL commands via the jid/limit parameters in the add_req function. Attackers can potentially read, modify, or delete database content, including sensitive user data. All deployments of Job Recruitment 1.0 with the vulnerable /_parse/_all_edits.php file are affected.

💻 Affected Systems

Products:

Job Recruitment

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any installation using the vulnerable /_parse/_all_edits.php file is affected regardless of configuration.

📦 What is this software?

Job Recruitment by Anisha

View all CVEs affecting Job Recruitment →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access and extraction of sensitive information like user credentials, personal data, and application configuration.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit details are available.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but external threat is higher due to public disclosure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub, making this easily weaponizable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for updates 2. If no patch available, implement workarounds 3. Consider replacing with alternative software

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to sanitize jid and limit parameters before processing

Modify /_parse/_all_edits.php to validate and sanitize input parameters

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns

Add WAF rules to detect and block SQL injection attempts to /_parse/_all_edits.php

🧯 If You Can't Patch

Restrict access to /_parse/_all_edits.php via firewall rules or authentication
Implement database user with minimal permissions (read-only if possible)

🔍 How to Verify

Check if Vulnerable:

Test the /_parse/_all_edits.php endpoint with SQL injection payloads in jid or limit parameters

Check Version:

Check application files or documentation for version information

Verify Fix Applied:

Attempt SQL injection after fixes and verify no database errors or unexpected behavior occurs

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple requests to /_parse/_all_edits.php with suspicious parameters

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.) in parameters
Unusual database query patterns from application server

SIEM Query:

source="web_logs" AND uri="/_parse/_all_edits.php" AND (param="*SELECT*" OR param="*UNION*" OR param="*OR*1=1*")

📊 Metadata

CVE ID: CVE-2024-12978

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: December 27, 2024

Last Updated: February 18, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/UnrealdDei/cve/blob/main/sql7.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.289354 Permissions Required,VDB Entry
https://vuldb.com/?id.289354 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.469145 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12978, you might also want to check these: