CVE-2024-34955 – Budget Management 1.0 contains a SQL injection ... (How to Fix)

Q: What is the severity of CVE-2024-34955?

CVE-2024-34955 has a CVSS score of 9.8 (CRITICAL). Budget Management 1.0 contains a SQL injection vulnerability in the delete parameter that allows attackers to execute arbitrary SQL commands. This affects all users running this specific version of the software, potentially exposing database contents and system control.

📋 TL;DR

Budget Management 1.0 contains a SQL injection vulnerability in the delete parameter that allows attackers to execute arbitrary SQL commands. This affects all users running this specific version of the software, potentially exposing database contents and system control.

💻 Affected Systems

Products:

Code-projects Budget Management

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only version 1.0 is confirmed affected. The vulnerability exists in the delete parameter handling.

📦 What is this software?

Budget Management by Code Projects

View all CVEs affecting Budget Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, and potential remote code execution on the underlying server.

🟠

Likely Case

Unauthorized data access, modification, or deletion of budget records and user information.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via delete parameter is straightforward to exploit with publicly available proof-of-concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to sanitize the delete parameter before processing.

Modify delete parameter handling to use prepared statements with parameterized queries

Web Application Firewall

all

Deploy WAF rules to block SQL injection patterns in the delete parameter.

Configure WAF to detect and block SQL injection attempts in URL parameters

🧯 If You Can't Patch

Isolate the Budget Management system from internet access and restrict to trusted internal networks only.
Implement strict database user permissions with least privilege principle to limit potential damage.

🔍 How to Verify

Check if Vulnerable:

Test the delete parameter with SQL injection payloads like ' OR '1'='1 and observe if database behavior changes.

Check Version:

Check application version in admin panel or configuration files for 'Budget Management 1.0'.

Verify Fix Applied:

Retest with SQL injection payloads after implementing fixes; successful payloads should be rejected or sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple delete requests with suspicious parameter values

Network Indicators:

HTTP requests containing SQL keywords in delete parameter
Unusual database query patterns from application server

SIEM Query:

source="web_logs" AND uri="*delete=*" AND (uri="*OR*" OR uri="*UNION*" OR uri="*SELECT*" OR uri="*--*" OR uri="*;*")

📊 Metadata

CVE ID: CVE-2024-34955

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 15, 2024

Last Updated: April 4, 2025

🔗 References

https://github.com/ethicalhackerNL/CVEs/blob/main/Budget%20Management/SQLi.md Exploit,Third Party Advisory
https://github.com/ethicalhackerNL/CVEs/blob/main/Budget%20Management/SQLi.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34955, you might also want to check these: