CVE-2024-24095 – Simple Stock System 1.0 contains a SQL injectio... (How to Fix)

Q: What is the severity of CVE-2024-24095?

CVE-2024-24095 has a CVSS score of 9.8 (CRITICAL). Simple Stock System 1.0 contains a SQL injection vulnerability that allows attackers to execute arbitrary SQL commands on the database. This affects all installations of Simple Stock System 1.0 that are exposed to untrusted input, potentially compromising the entire database.

📋 TL;DR

Simple Stock System 1.0 contains a SQL injection vulnerability that allows attackers to execute arbitrary SQL commands on the database. This affects all installations of Simple Stock System 1.0 that are exposed to untrusted input, potentially compromising the entire database.

💻 Affected Systems

Products:

Code-projects Simple Stock System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable by default.

📦 What is this software?

Simple Stock System by Code Projects

View all CVEs affecting Simple Stock System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly exploited with automated tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider migrating to a supported inventory management system or implementing custom fixes.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side input validation to sanitize all user inputs before processing SQL queries.

Use Parameterized Queries

all

Replace dynamic SQL queries with parameterized/prepared statements in all database interactions.

🧯 If You Can't Patch

Implement a web application firewall (WAF) with SQL injection protection rules
Restrict database user permissions to minimum required privileges

🔍 How to Verify

Check if Vulnerable:

Test application inputs with SQL injection payloads like ' OR '1'='1 and monitor database responses.

Check Version:

Check application version in admin panel or configuration files.

Verify Fix Applied:

Retest with SQL injection payloads after implementing fixes to confirm they are properly blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual database query patterns
SQL syntax errors in application logs
Multiple failed login attempts with SQL-like payloads

Network Indicators:

HTTP requests containing SQL keywords like UNION, SELECT, INSERT, DROP

SIEM Query:

source="web_server" AND ("UNION" OR "SELECT" OR "INSERT" OR "DROP" OR "' OR '1'='1")

📊 Metadata

CVE ID: CVE-2024-24095

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 27, 2024

Last Updated: April 3, 2025

🔗 References

https://github.com/ASR511-OO7/CVE-2024-24095/blob/main/CVE-21 Third Party Advisory
https://github.com/ASR511-OO7/CVE-2024-24095/blob/main/CVE-21 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24095, you might also want to check these: