Login Sign Up

CVE-2024-13024

6.3 MEDIUM
SQL Injection

📋 TL;DR

This vulnerability allows remote attackers to execute SQL injection attacks via the 'cname' parameter in the /campaign.php file of Codezips Blood Bank Management System 1.0. Attackers can potentially read, modify, or delete database contents, including sensitive blood bank and patient data. Organizations using this specific software version are affected.

💻 Affected Systems

Products:
  • Codezips Blood Bank Management System
Versions: 1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web application component; no specific OS requirements mentioned

📦 What is this software?

Blood Bank Management System by Codezips

View all CVEs affecting Blood Bank Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or unauthorized administrative access to the blood bank system

🟠

Likely Case

Extraction of sensitive patient/donor information, modification of blood inventory records, or partial system disruption

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub; remote attack vector with simple SQL injection payloads

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative blood bank management systems or implementing custom fixes with parameterized queries.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting /campaign.php and cname parameter

Input Validation Filter

all

Implement server-side input validation to sanitize cname parameter before processing

🧯 If You Can't Patch

  • Isolate the system from internet access and restrict to internal network only
  • Implement database user privilege restrictions to minimize potential damage from SQL injection

🔍 How to Verify

Check if Vulnerable:

Test /campaign.php endpoint with SQL injection payloads in cname parameter (e.g., ' OR '1'='1)

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and return proper error handling

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple requests to /campaign.php with suspicious parameters
  • Database query anomalies

Network Indicators:

  • HTTP requests to /campaign.php containing SQL keywords in parameters
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/campaign.php" AND (param="cname" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|or|and|'|--|#)")

📊 Metadata

CVE ID: CVE-2024-13024
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
Published: December 29, 2024
Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13024, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)