Login Sign Up

CVE-2024-30990

9.8 CRITICAL
SQL Injection

📋 TL;DR

This CVE describes a critical SQL injection vulnerability in the Invoices page of phpgurukul Client Management System. Attackers can execute arbitrary SQL commands via the 'searchdata' parameter, potentially compromising the entire database. All users running the vulnerable version are affected.

💻 Affected Systems

Products:
  • phpgurukul Client Management System
Versions: Version 1.1
Operating Systems: Any OS running PHP and MySQL
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the Invoices page specifically via the searchdata parameter.

📦 What is this software?

Client Management System by Phpgurukul

View all CVEs affecting Client Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, extraction of sensitive client information, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection via GET/POST parameter requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement workarounds or migrate to alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to sanitize searchdata parameter before processing

Modify PHP code to use prepared statements: $stmt = $conn->prepare('SELECT * FROM invoices WHERE column LIKE ?'); $stmt->bind_param('s', $searchdata); $stmt->execute();

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns in searchdata parameter

Add WAF rule: SecRule ARGS:searchdata "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

  • Disable or restrict access to the Invoices page functionality
  • Implement network segmentation to isolate the vulnerable system from sensitive data

🔍 How to Verify

Check if Vulnerable:

Test the Invoices page search functionality with SQL injection payloads like: searchdata=' OR '1'='1

Check Version:

Check system documentation or configuration files for version information

Verify Fix Applied:

Attempt SQL injection payloads and verify they are properly sanitized or blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts after search operations
  • Suspicious search patterns containing SQL keywords

Network Indicators:

  • HTTP requests with SQL injection patterns in searchdata parameter
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (searchdata="*OR*" OR searchdata="*UNION*" OR searchdata="*SELECT*" OR searchdata="*--*" OR searchdata="*;*")

📊 Metadata

CVE ID: CVE-2024-30990
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: April 17, 2024
Last Updated: April 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-30990, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)