CVE-2024-24100 – Code-projects Computer Book Store 1.0 contains ... (How to Fix)

Q: What is the severity of CVE-2024-24100?

CVE-2024-24100 has a CVSS score of 8.3 (HIGH). Code-projects Computer Book Store 1.0 contains a SQL injection vulnerability in the PublisherID parameter that allows attackers to execute arbitrary SQL commands. This affects all installations of this specific software version. Attackers could potentially access, modify, or delete database content.

📋 TL;DR

Code-projects Computer Book Store 1.0 contains a SQL injection vulnerability in the PublisherID parameter that allows attackers to execute arbitrary SQL commands. This affects all installations of this specific software version. Attackers could potentially access, modify, or delete database content.

💻 Affected Systems

Products:

Code-projects Computer Book Store

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable by default.

📦 What is this software?

Computer Book Store by Carmelo

View all CVEs affecting Computer Book Store →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access and extraction of sensitive information from the database.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via PublisherID parameter is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries and input validation in the source code.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious requests.

Input Validation

all

Implement strict input validation for PublisherID parameter to only accept expected values.

🧯 If You Can't Patch

Isolate the application behind a reverse proxy with SQL injection filtering
Implement network segmentation to limit database access from the application server

🔍 How to Verify

Check if Vulnerable:

Test PublisherID parameter with SQL injection payloads like ' OR '1'='1

Check Version:

Check application version in admin panel or configuration files.

Verify Fix Applied:

Verify that parameterized queries are implemented and SQL injection payloads are rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed login attempts via PublisherID parameter

Network Indicators:

SQL keywords in HTTP requests to PublisherID parameter
Unusual database query patterns

SIEM Query:

SELECT * FROM web_logs WHERE uri LIKE '%PublisherID%' AND (request LIKE '%OR%' OR request LIKE '%UNION%' OR request LIKE '%SELECT%')

📊 Metadata

CVE ID: CVE-2024-24100

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

CWE: CWE-89

Published: February 27, 2024

Last Updated: April 10, 2025

🔗 References

https://github.com/ASR511-OO7/CVE-2024-24100/blob/main/CVE-18 Third Party Advisory
https://github.com/ASR511-OO7/CVE-2024-24100/blob/main/CVE-18 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24100, you might also want to check these: