CVE-2024-24101 – Scholars Tracking System 1.0 contains a SQL inj... (How to Fix)

Q: What is the severity of CVE-2024-24101?

CVE-2024-24101 has a CVSS score of 9.8 (CRITICAL). Scholars Tracking System 1.0 contains a SQL injection vulnerability in the Eligibility Information Update functionality that allows attackers to execute arbitrary SQL commands. This affects all deployments of this specific software version. Attackers could potentially access, modify, or delete database contents.

📋 TL;DR

Scholars Tracking System 1.0 contains a SQL injection vulnerability in the Eligibility Information Update functionality that allows attackers to execute arbitrary SQL commands. This affects all deployments of this specific software version. Attackers could potentially access, modify, or delete database contents.

💻 Affected Systems

Products:

Code-projects Scholars Tracking System

Versions: 1.0

Operating Systems: Any OS running the application

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of version 1.0; no specific OS requirements

📦 What is this software?

Scholars Tracking System by Code Projects

View all CVEs affecting Scholars Tracking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining

🟠

Likely Case

Unauthorized access to sensitive student/scholar data, potential privilege escalation, and database manipulation

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection in Eligibility Information Update feature; requires some level of access but exploit is straightforward

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider migrating to a different system or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Implement proper input validation and use parameterized queries/prepared statements for all database operations

Web Application Firewall Rules

all

Deploy WAF with SQL injection detection rules to block malicious requests

🧯 If You Can't Patch

Isolate the system behind a firewall with strict access controls
Implement database user with minimal necessary permissions

🔍 How to Verify

Check if Vulnerable:

Test the Eligibility Information Update functionality with SQL injection payloads like ' OR '1'='1

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that parameterized queries are implemented and SQL injection attempts are rejected

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from web application
SQL syntax errors in application logs
Multiple failed eligibility update attempts

Network Indicators:

HTTP requests containing SQL keywords to eligibility update endpoints
Unusual database connection patterns

SIEM Query:

source="web_logs" AND (url="*eligibility*" AND (query="*SELECT*" OR query="*UNION*" OR query="*OR*"))

📊 Metadata

CVE ID: CVE-2024-24101

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: March 12, 2024

Last Updated: March 13, 2025

🔗 References

https://github.com/ASR511-OO7/CVE-2024-24101/blob/main/CVE-14 Third Party Advisory
https://github.com/ASR511-OO7/CVE-2024-24101/blob/main/CVE-14 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24101, you might also want to check these: