CVE-2024-25312 – This vulnerability allows SQL injection attacks... (How to Fix)

Q: What is the severity of CVE-2024-25312?

CVE-2024-25312 has a CVSS score of 8.8 (HIGH). This vulnerability allows SQL injection attacks through the 'id' parameter in Simple School Management System 1.0. Attackers can manipulate database queries to potentially access, modify, or delete sensitive school data. All users running the vulnerable version are affected.

📋 TL;DR

This vulnerability allows SQL injection attacks through the 'id' parameter in Simple School Management System 1.0. Attackers can manipulate database queries to potentially access, modify, or delete sensitive school data. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

Code-projects Simple School Management System

Versions: 1.0

Operating Systems: Any OS running PHP with database backend

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation at School/sub_delete.php endpoint

📦 What is this software?

Simple School Management System by Code Projects

View all CVEs affecting Simple School Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or remote code execution on the database server

🟠

Likely Case

Unauthorized access to sensitive student/teacher data, grade manipulation, or system disruption

🟢

If Mitigated

Limited impact with proper input validation and database permissions in place

🌐 Internet-Facing: HIGH - Web application accessible from internet with SQL injection vulnerability

🏢 Internal Only: MEDIUM - Still significant risk from internal threats or compromised accounts

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple parameter manipulation required, no authentication needed

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Replace vulnerable code with parameterized queries or input validation.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to ensure 'id' parameter contains only numeric values

Modify School/sub_delete.php to validate $_GET['id'] with is_numeric() or filter_var()

Web Application Firewall Rule

all

Block SQL injection patterns at the 'id' parameter

Add WAF rule to detect SQL patterns in GET parameters

🧯 If You Can't Patch

Implement network segmentation to isolate the application from sensitive databases
Add strict database user permissions with least privilege access

🔍 How to Verify

Check if Vulnerable:

Test School/sub_delete.php?id=5' OR '1'='1 and observe database error or unexpected behavior

Check Version:

Check application files for version information or readme files

Verify Fix Applied:

Test with SQL injection payloads and verify they are rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from web application
SQL syntax errors in application logs
Multiple failed parameter validation attempts

Network Indicators:

HTTP requests with SQL keywords in GET parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (uri="*sub_delete.php*" AND (param="*id=*'*" OR param="*id=*%27*" OR param="*id=*OR*"))

📊 Metadata

CVE ID: CVE-2024-25312

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 9, 2024

Last Updated: June 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25312, you might also want to check these: