CVE-2024-22625 – Complete Supplier Management System v1.0 contai... (How to Fix)

Q: What is the severity of CVE-2024-22625?

CVE-2024-22625 has a CVSS score of 7.2 (HIGH). Complete Supplier Management System v1.0 contains a SQL injection vulnerability in the edit_category.php admin endpoint that allows attackers to execute arbitrary SQL commands. This affects all deployments of this specific software version. Attackers can potentially access, modify, or delete database content through this vulnerability.

📋 TL;DR

Complete Supplier Management System v1.0 contains a SQL injection vulnerability in the edit_category.php admin endpoint that allows attackers to execute arbitrary SQL commands. This affects all deployments of this specific software version. Attackers can potentially access, modify, or delete database content through this vulnerability.

💻 Affected Systems

Products:

Complete Supplier Management System

Versions: v1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Supplier Management System by Campcodes

View all CVEs affecting Supplier Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, authentication bypass, and potential server takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized access to sensitive supplier data, modification of system categories, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to the affected table only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin access to reach the vulnerable endpoint, but SQL injection payloads are simple and well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries or input validation in edit_category.php.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection rules to block malicious requests to the vulnerable endpoint.

Input Validation Filter

all

Add server-side validation to ensure the 'id' parameter contains only numeric values.

// PHP example: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

🧯 If You Can't Patch

Restrict network access to the admin interface using firewall rules or network segmentation.
Implement database user with minimal permissions (read-only for this function if possible).

🔍 How to Verify

Check if Vulnerable:

Test the endpoint with SQL injection payloads like /admin/edit_category.php?id=1' OR '1'='1

Check Version:

Check application version in admin panel or source code comments.

Verify Fix Applied:

Test with same payloads and verify they are rejected or properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple requests to edit_category.php with suspicious parameters

Network Indicators:

HTTP requests containing SQL keywords (UNION, SELECT, etc.) in URL parameters

SIEM Query:

source="web_logs" AND uri="/admin/edit_category.php" AND (param="*UNION*" OR param="*SELECT*" OR param="*OR*1*" OR param="*'*" OR param="*--*" OR param="*;*")

📊 Metadata

CVE ID: CVE-2024-22625

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: January 16, 2024

Last Updated: June 4, 2025

🔗 References

https://github.com/GaoZzr/CVE_report/blob/main/Supply_Management_System/SQLi-1.md Exploit,Third Party Advisory
https://github.com/GaoZzr/CVE_report/blob/main/Supply_Management_System/SQLi-1.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22625, you might also want to check these: