Login Sign Up

CVE-2024-29303

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows attackers to execute arbitrary SQL commands through the delete admin users function in SourceCodester PHP Task Management System 1.0. Attackers can potentially delete, modify, or extract sensitive data from the database. Organizations using this specific version of the task management system are affected.

💻 Affected Systems

Products:
  • SourceCodester PHP Task Management System
Versions: 1.0
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin panel access to reach the vulnerable delete function.

📦 What is this software?

Php Task Management System by Mayurik

View all CVEs affecting Php Task Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, privilege escalation to admin, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized deletion of admin accounts, data exfiltration of user credentials and sensitive task information, and potential system takeover.

🟢

If Mitigated

Limited to unauthorized data viewing if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin authentication to access the vulnerable endpoint, but SQL injection payloads are simple and well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch exists. Replace with secure alternative software or implement custom fixes.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries for all user inputs in the delete admin users function.

Modify PHP code to use prepared statements with PDO or mysqli

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious payloads.

Configure WAF to block SQL injection patterns

🧯 If You Can't Patch

  • Isolate the system on a segmented network with strict access controls
  • Disable or restrict access to the admin panel from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Test the delete admin users function with SQL injection payloads like ' OR '1'='1 in user ID parameter.

Check Version:

Check the software version in the admin panel or configuration files.

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return proper error messages or no results.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed delete attempts with suspicious parameters
  • Admin user deletions from unexpected IP addresses

Network Indicators:

  • HTTP POST requests to admin delete endpoint containing SQL keywords like UNION, SELECT, OR

SIEM Query:

source="web_logs" AND (uri="/admin/delete_user.php" OR uri LIKE "%/admin/delete%") AND (request_body LIKE "%OR%" OR request_body LIKE "%UNION%" OR request_body LIKE "%SELECT%")

📊 Metadata

CVE ID: CVE-2024-29303
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 26, 2024
Last Updated: April 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29303, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)