Login Sign Up

CVE-2024-31545

9.4 CRITICAL
SQL Injection

📋 TL;DR

Computer Laboratory Management System v1.0 contains a SQL injection vulnerability in the 'id' parameter of the user management page. This allows attackers to execute arbitrary SQL commands on the database, potentially compromising sensitive data. Organizations using this specific software version are affected.

💻 Affected Systems

Products:
  • Computer Laboratory Management System
Versions: v1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web interface accessible via /admin/?page=user/manage_user endpoint

📦 What is this software?

Computer Laboratory Management System by Oretnom23

View all CVEs affecting Computer Laboratory Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, privilege escalation, and potential remote code execution on the underlying server.

🟠

Likely Case

Unauthorized access to sensitive user data, system configuration information, and potential administrative account takeover.

🟢

If Mitigated

Limited information disclosure if proper input validation and database permissions are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the admin interface but SQL injection is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to ensure 'id' parameter contains only numeric values

Modify PHP code to validate: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

Web Application Firewall

all

Deploy WAF rules to block SQL injection patterns in the 'id' parameter

Configure WAF with SQL injection detection rules for the vulnerable endpoint

🧯 If You Can't Patch

  • Isolate the system behind a firewall with strict access controls
  • Implement network segmentation to limit database server access

🔍 How to Verify

Check if Vulnerable:

Test the /admin/?page=user/manage_user endpoint with SQL injection payloads like: id=6' OR '1'='1

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Test with SQL injection payloads and verify they are rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by SQL injection patterns
  • Admin panel access with suspicious 'id' parameter values

Network Indicators:

  • HTTP requests to /admin/?page=user/manage_user with SQL keywords in parameters
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/admin/?page=user/manage_user" AND (param="id" AND value MATCH "'.*'|OR|UNION|SELECT")

📊 Metadata

CVE ID: CVE-2024-31545
CVSS v3 Score: 9.4 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CWE: CWE-89
Published: April 22, 2024
Last Updated: April 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31545, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)