Login Sign Up

CVE-2024-30928

8.1 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in DerbyNet allows attackers to execute arbitrary SQL commands through the 'classids' parameter in the ajax/query.slide.next.inc endpoint. Attackers can potentially read, modify, or delete database content. All DerbyNet installations version 9.0 and below are affected.

💻 Affected Systems

Products:
  • DerbyNet
Versions: v9.0 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable if the vulnerable endpoint is accessible.

📦 What is this software?

Derbynet by Derbynet

View all CVEs affecting Derbynet →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, privilege escalation to administrative access, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access and modification, extraction of sensitive information like user credentials or race data, and potential application disruption.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection is well-understood with many automated tools available. The vulnerability is in a publicly accessible AJAX endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

1. Check for official patch from DerbyNet developers. 2. If patch available, download and apply. 3. Verify fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the 'classids' parameter before processing

Modify ajax/query.slide.next.inc to validate classids parameter as integer or safe string

Web Application Firewall Rule

all

Block SQL injection patterns targeting the vulnerable endpoint

Add WAF rule to block requests containing SQL keywords in classids parameter

🧯 If You Can't Patch

  • Restrict access to the ajax/query.slide.next.inc endpoint using network controls or authentication
  • Implement database-level protections: use least privilege accounts, enable query logging, and restrict database functions

🔍 How to Verify

Check if Vulnerable:

Test the ajax/query.slide.next.inc endpoint with SQL injection payloads in the classids parameter

Check Version:

Check DerbyNet version in configuration files or admin interface

Verify Fix Applied:

Test the same endpoint with SQL injection payloads to confirm they are rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple requests to ajax/query.slide.next.inc with suspicious parameters
  • Error logs showing SQL syntax errors

Network Indicators:

  • HTTP requests to ajax/query.slide.next.inc containing SQL keywords like UNION, SELECT, INSERT in parameters

SIEM Query:

source="web_logs" AND url="*ajax/query.slide.next.inc*" AND (param="*UNION*" OR param="*SELECT*" OR param="*INSERT*")

📊 Metadata

CVE ID: CVE-2024-30928
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: April 18, 2024
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-30928, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)