CVE-2024-22627 – Complete Supplier Management System v1.0 contai... (How to Fix)

📋 TL;DR

Complete Supplier Management System v1.0 contains a SQL injection vulnerability in the distributor editing functionality. Attackers can manipulate database queries through the 'id' parameter in the admin panel, potentially accessing or modifying sensitive supplier data. Organizations using this specific software version are affected.

💻 Affected Systems

Products:

Complete Supplier Management System

Versions: v1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin panel access, but SQL injection can potentially bypass authentication if chained with other vulnerabilities.

📦 What is this software?

Supplier Management System by Campcodes

View all CVEs affecting Supplier Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise including extraction of all supplier data, customer information, financial records, and potential authentication bypass to gain administrative control of the entire system.

🟠

Likely Case

Unauthorized access to supplier database tables, exposure of sensitive business information, and potential data manipulation affecting supply chain operations.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting query execution to non-sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the admin interface, but SQL injection payloads are well-documented and easy to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Review the edit_distributor.php file
2. Implement parameterized queries or prepared statements
3. Add input validation for the 'id' parameter
4. Sanitize all user inputs before database interaction

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious payloads

Input Validation Filter

all

Add server-side validation to restrict 'id' parameter to numeric values only

Add to edit_distributor.php: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

🧯 If You Can't Patch

Restrict admin panel access to trusted IP addresses only
Implement database user with minimal permissions (read-only for non-admin functions)

🔍 How to Verify

Check if Vulnerable:

Test the vulnerable endpoint with SQL injection payloads: /Supply_Management_System/admin/edit_distributor.php?id=1' OR '1'='1

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Attempt SQL injection payloads and verify they are rejected or properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual database query patterns
Multiple failed login attempts followed by SQL error messages
Requests with SQL keywords in URL parameters

Network Indicators:

HTTP requests containing SQL injection payloads to the vulnerable endpoint
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (uri="*edit_distributor.php*" AND (query="*OR*" OR query="*UNION*" OR query="*SELECT*" OR query="*--*"))

📊 Metadata

CVE ID: CVE-2024-22627

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: January 16, 2024

Last Updated: June 20, 2025

🔗 References

https://github.com/GaoZzr/CVE_report/blob/main/Supply_Management_System/SQLi-3.md Exploit,Third Party Advisory
https://github.com/GaoZzr/CVE_report/blob/main/Supply_Management_System/SQLi-3.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22627, you might also want to check these: