Login Sign Up

CVE-2024-3534

7.3 HIGH
SQL Injection Authentication Bypass

📋 TL;DR

CVE-2024-3534 is a critical SQL injection vulnerability in Campcodes Church Management System 1.0 that allows attackers to execute arbitrary SQL commands via the password parameter in login.php. This can lead to authentication bypass, data theft, or complete system compromise. All users running the vulnerable version are affected.

💻 Affected Systems

Products:
  • Campcodes Church Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation. Any system with login.php accessible is vulnerable.

📦 What is this software?

Church Management System by Campcodes

View all CVEs affecting Church Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, authentication bypass, privilege escalation, and potential remote code execution if database functions allow it.

🟠

Likely Case

Authentication bypass allowing unauthorized access to the system, followed by data theft or manipulation of church management data.

🟢

If Mitigated

Attack fails due to input validation, parameterized queries, or WAF blocking malicious SQL patterns.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available in GitHub repositories. SQL injection via login page is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to sanitize password input before processing SQL queries.

Manual code modification required - implement parameterized queries or prepared statements in login.php

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting login.php

WAF-specific configuration required

🧯 If You Can't Patch

  • Isolate the system from internet access and restrict to internal network only
  • Implement strict network segmentation and monitor all access to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Test login.php with SQL injection payloads in password field (e.g., ' OR '1'='1) and observe if authentication bypass occurs

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Attempt SQL injection after implementing fixes - should return authentication failure instead of bypass

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed login attempts with SQL patterns
  • Successful logins from unexpected IPs

Network Indicators:

  • HTTP POST requests to login.php containing SQL keywords in parameters
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="/login.php" AND (password CONTAINS "OR" OR password CONTAINS "UNION" OR password CONTAINS "SELECT")

📊 Metadata

CVE ID: CVE-2024-3534
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: April 10, 2024
Last Updated: February 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3534, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)