Login Sign Up

CVE-2024-35356

6.3 MEDIUM
SQL Injection

📋 TL;DR

This vulnerability allows attackers to execute arbitrary SQL commands through the 'id' parameter in Diño Physics School Assistant version 2.3. Attackers can potentially read, modify, or delete database contents. All users running the vulnerable version are affected.

💻 Affected Systems

Products:
  • Diño Physics School Assistant
Versions: 2.3
Operating Systems: Any OS running the application
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default installation when accessing /classes/Master.php?f=save_item endpoint.

📦 What is this software?

Dino Physics School Assistant by Dino Physics School Assistant Project

View all CVEs affecting Dino Physics School Assistant →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, or deletion of critical educational records and user information.

🟠

Likely Case

Unauthorized access to sensitive student/teacher data, grade manipulation, or extraction of database credentials.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Error-based SQL injection makes exploitation straightforward with common SQL injection tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Modify Master.php to implement proper input validation and use prepared statements for database queries.

Edit /classes/Master.php to replace raw SQL queries with parameterized queries using PDO or mysqli prepared statements

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint.

Add WAF rule: deny requests to /classes/Master.php?f=save_item containing SQL keywords in id parameter

🧯 If You Can't Patch

  • Restrict network access to the application to trusted users only
  • Implement database user with minimal necessary permissions (read-only if possible)

🔍 How to Verify

Check if Vulnerable:

Test /classes/Master.php?f=save_item?id=1' with SQL injection payloads and observe error responses

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Test the same endpoint with SQL injection payloads and verify no database errors are returned

📡 Detection & Monitoring

Log Indicators:

  • Multiple requests to /classes/Master.php?f=save_item with SQL keywords in parameters
  • Database error logs showing SQL syntax errors

Network Indicators:

  • HTTP requests containing SQL injection patterns (UNION, SELECT, etc.) in URL parameters

SIEM Query:

source="web_logs" AND url="/classes/Master.php" AND (param="id" AND value CONTAINS "' OR ")

📊 Metadata

CVE ID: CVE-2024-35356
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: May 30, 2024
Last Updated: April 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35356, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)