CVE-2024-24093 – This SQL injection vulnerability in Code-projec... (How to Fix)

Q: What is the severity of CVE-2024-24093?

CVE-2024-24093 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in Code-projects Scholars Tracking System 1.0 allows attackers to execute arbitrary SQL commands through the Personal Information Update feature. Attackers can potentially read, modify, or delete database contents, and in some configurations execute arbitrary code on the server. All deployments of version 1.0 are affected.

📋 TL;DR

This SQL injection vulnerability in Code-projects Scholars Tracking System 1.0 allows attackers to execute arbitrary SQL commands through the Personal Information Update feature. Attackers can potentially read, modify, or delete database contents, and in some configurations execute arbitrary code on the server. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

Code-projects Scholars Tracking System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Any deployment using the default configuration is vulnerable. The vulnerability exists in the Personal Information Update functionality.

📦 What is this software?

Scholars Tracking System by Code Projects

View all CVEs affecting Scholars Tracking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including remote code execution, data exfiltration, and persistent backdoor installation

🟠

Likely Case

Database compromise leading to data theft, modification, or deletion of student records and system information

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to specific tables

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to access the Personal Information Update feature. SQL injection payloads can be crafted to execute arbitrary commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries and input validation as workarounds.

🔧 Temporary Workarounds

Implement Parameterized Queries

all

Replace dynamic SQL queries with parameterized/prepared statements to prevent SQL injection

Input Validation and Sanitization

all

Add strict input validation and sanitization for all user inputs in the Personal Information Update feature

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection rules
Restrict database user permissions to minimum required access

🔍 How to Verify

Check if Vulnerable:

Test the Personal Information Update feature with SQL injection payloads like ' OR '1'='1

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that parameterized queries are implemented and SQL injection payloads no longer work

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by Personal Information Update requests
SQL syntax errors in application logs

Network Indicators:

Unusual database connection patterns
Large data transfers from database server

SIEM Query:

source="web_logs" AND (url="*personal*update*" OR url="*profile*update*") AND (message="*sql*" OR message="*union*" OR message="*select*" OR message="*or '1'='1*")

📊 Metadata

CVE ID: CVE-2024-24093

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: March 12, 2024

Last Updated: April 3, 2025

🔗 References

https://github.com/ASR511-OO7/CVE-2024-24093/blob/main/CVE-10 Third Party Advisory
https://github.com/ASR511-OO7/CVE-2024-24093/blob/main/CVE-10 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24093, you might also want to check these: