CVE-2024-34934 – A SQL injection vulnerability in Campcodes Comp... (How to Fix)

Q: What is the severity of CVE-2024-34934?

CVE-2024-34934 has a CVSS score of 9.8 (CRITICAL). A SQL injection vulnerability in Campcodes Complete Web-Based School Management System 1.0 allows attackers to execute arbitrary SQL commands via the conversation_id parameter in the /view/emarks_range_grade_update_form.php endpoint. This can lead to data theft, modification, or deletion, and potentially full system compromise. All users running the vulnerable version are affected.

📋 TL;DR

A SQL injection vulnerability in Campcodes Complete Web-Based School Management System 1.0 allows attackers to execute arbitrary SQL commands via the conversation_id parameter in the /view/emarks_range_grade_update_form.php endpoint. This can lead to data theft, modification, or deletion, and potentially full system compromise. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

Campcodes Complete Web-Based School Management System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation. Requires PHP environment with database backend.

📦 What is this software?

Complete Web Based School Management System by Campcodes

View all CVEs affecting Complete Web Based School Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise leading to data exfiltration, privilege escalation, remote code execution, and complete system takeover.

🟠

Likely Case

Unauthorized access to sensitive student/teacher data, grade manipulation, and potential authentication bypass.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - Web application accessible from internet with unauthenticated SQL injection.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to authenticated or unauthenticated attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple SQL injection via GET/POST parameter. Public proof-of-concept available in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement workarounds or migrate to alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add input validation and parameterized queries to the vulnerable PHP file

Edit /view/emarks_range_grade_update_form.php to use prepared statements with PDO or mysqli

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to block requests containing SQL keywords in conversation_id parameter

🧯 If You Can't Patch

Isolate the system behind a firewall with strict access controls
Implement network segmentation to limit database access

🔍 How to Verify

Check if Vulnerable:

Test the /view/emarks_range_grade_update_form.php endpoint with SQL injection payloads in conversation_id parameter

Check Version:

Check software version in admin panel or readme files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and return appropriate error messages

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts after SQL injection
Access to /view/emarks_range_grade_update_form.php with suspicious parameters

Network Indicators:

HTTP requests containing SQL keywords (UNION, SELECT, INSERT, etc.) in conversation_id parameter
Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="/view/emarks_range_grade_update_form.php" AND (param="conversation_id" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|create|alter)")

📊 Metadata

CVE ID: CVE-2024-34934

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 23, 2024

Last Updated: March 25, 2025

🔗 References

https://github.com/E1CHO/cve_hub/blob/main/Complete%20Web-Based%20School%20Management%20System/Complete%20Web-Based%20School%20Management%20System%20-%20vuln%2028.pdf Exploit,Third Party Advisory
https://github.com/E1CHO/cve_hub/blob/main/Complete%20Web-Based%20School%20Management%20System/Complete%20Web-Based%20School%20Management%20System%20-%20vuln%2028.pdf Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34934, you might also want to check these: