CVE-2024-37857 – This SQL injection vulnerability in Lost and Fo... (How to Fix)

Q: What is the severity of CVE-2024-37857?

CVE-2024-37857 has a CVSS score of 8.8 (HIGH). This SQL injection vulnerability in Lost and Found Information System 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in the admin categories view page. Attackers can escalate privileges, potentially gaining administrative access to the system. All deployments of version 1.0 are affected.

📋 TL;DR

This SQL injection vulnerability in Lost and Found Information System 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in the admin categories view page. Attackers can escalate privileges, potentially gaining administrative access to the system. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

Lost and Found Information System

Versions: 1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires PHP environment with database connectivity.

📦 What is this software?

Lost And Found Information System by Oretnom23

View all CVEs affecting Lost And Found Information System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative access, data theft, and potential lateral movement to other systems.

🟠

Likely Case

Privilege escalation to admin level, unauthorized access to sensitive data, and system manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to the application layer.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires access to admin interface but SQL injection is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://lost.com

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries and input validation in php-lfis/admin/categories/view_category.php.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add input validation to ensure id parameter contains only numeric values.

Modify view_category.php to validate $_GET['id'] with is_numeric() or filter_var()

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns.

Add WAF rule: deny requests with SQL keywords in id parameter

🧯 If You Can't Patch

Isolate the system behind a firewall with strict access controls.
Implement network segmentation to limit potential lateral movement.

🔍 How to Verify

Check if Vulnerable:

Test id parameter with SQL injection payloads like ' OR '1'='1 in /php-lfis/admin/categories/view_category.php?id=1

Check Version:

Check version in application files or documentation.

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return error or sanitized output.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts followed by successful admin access

Network Indicators:

HTTP requests with SQL keywords in id parameter
Unusual database queries from web server

SIEM Query:

source="web_logs" AND (uri="*view_category.php*" AND query="*id=*OR*" OR query="*id=*UNION*" OR query="*id=*SELECT*")

📊 Metadata

CVE ID: CVE-2024-37857

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: July 29, 2024

Last Updated: April 23, 2025

🔗 References

http://lost.com Not Applicable
https://packetstormsecurity.com/files/179080/Lost-And-Found-Information-System-1.0-SQL-Injection.html Exploit
https://www.sourcecodester.com/ Product
http://lost.com Not Applicable
https://packetstormsecurity.com/files/179080/Lost-And-Found-Information-System-1.0-SQL-Injection.html Exploit
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37857, you might also want to check these: