CVE-2024-26517 – This SQL injection vulnerability in School Task... (How to Fix)

Q: What is the severity of CVE-2024-26517?

CVE-2024-26517 has a CVSS score of 9.1 (CRITICAL). This SQL injection vulnerability in School Task Manager v1.0 allows remote attackers to execute arbitrary SQL commands via the delete-task.php component. Attackers can potentially access, modify, or delete sensitive database information. All users running the vulnerable version are affected.

📋 TL;DR

This SQL injection vulnerability in School Task Manager v1.0 allows remote attackers to execute arbitrary SQL commands via the delete-task.php component. Attackers can potentially access, modify, or delete sensitive database information. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

School Task Manager

Versions: v1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of v1.0 regardless of configuration.

📦 What is this software?

School Task Manager by Rems

View all CVEs affecting School Task Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized access to sensitive student/teacher data, grade manipulation, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple SQL injection with publicly available proof-of-concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Apply manual fixes or replace with secure alternative.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Modify delete-task.php to use prepared statements and validate all user inputs.

Replace vulnerable SQL queries with parameterized queries using PDO or mysqli prepared statements.

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns.

Add WAF rules to detect and block SQL injection attempts targeting delete-task.php.

🧯 If You Can't Patch

Disable or remove delete-task.php component if not essential
Implement strict network segmentation and limit database access permissions

🔍 How to Verify

Check if Vulnerable:

Test delete-task.php endpoint with SQL injection payloads like ' OR '1'='1

Check Version:

Check PHP files for version information or review installation documentation.

Verify Fix Applied:

Verify parameterized queries are implemented and test with SQL injection payloads that should be rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed delete requests with SQL syntax

Network Indicators:

HTTP POST requests to delete-task.php containing SQL keywords

SIEM Query:

source="web_logs" AND uri="/delete-task.php" AND (request_body CONTAINS "OR" OR request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT")

📊 Metadata

CVE ID: CVE-2024-26517

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-79

Published: May 14, 2024

Last Updated: June 18, 2025

🔗 References

https://github.com/unrealjbr/CVE-2024-26517 Broken Link
https://www.sourcecodester.com/php/16877/school-task-manager-using-php-source-code.html Product
https://github.com/unrealjbr/CVE-2024-26517 Broken Link
https://www.sourcecodester.com/php/16877/school-task-manager-using-php-source-code.html Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-26517, you might also want to check these: