CVE-2024-37858 – This SQL injection vulnerability in Lost and Fo... (How to Fix)

Q: What is the severity of CVE-2024-37858?

CVE-2024-37858 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in Lost and Found Information System 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in the admin categories management page. Attackers can escalate privileges, potentially gaining full administrative control. All deployments of version 1.0 are affected.

📋 TL;DR

This SQL injection vulnerability in Lost and Found Information System 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter in the admin categories management page. Attackers can escalate privileges, potentially gaining full administrative control. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

Lost and Found Information System

Versions: 1.0

Operating Systems: Any OS running PHP and MySQL/MariaDB

Default Config Vulnerable: ⚠️ Yes

Notes: Requires PHP and database backend (typically MySQL/MariaDB). All default installations are vulnerable.

📦 What is this software?

Lost And Found Information System by Oretnom23

View all CVEs affecting Lost And Found Information System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative access, data theft, data manipulation, and potential lateral movement to other systems.

🟠

Likely Case

Privilege escalation to admin level, allowing modification of all system data and user accounts.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting SQL execution.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing systems extremely vulnerable.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to authenticated or unauthenticated attackers on the network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code available on Packet Storm. Simple SQL injection via URL parameter manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Modify php-lfis/admin/categories/manage_category.php to validate and sanitize the id parameter using prepared statements.

Replace vulnerable SQL queries with prepared statements using PDO or mysqli

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the id parameter.

Add WAF rule: deny requests with SQL keywords in id parameter to manage_category.php

🧯 If You Can't Patch

Restrict access to php-lfis/admin/ directory using IP whitelisting or authentication
Disable or remove the vulnerable system entirely and use alternative software

🔍 How to Verify

Check if Vulnerable:

Test by accessing /php-lfis/admin/categories/manage_category.php?id=1' OR '1'='1 and checking for SQL errors or unexpected behavior.

Check Version:

Check version in system documentation or configuration files; no standard command available.

Verify Fix Applied:

Attempt SQL injection tests and verify they are blocked or properly handled without database errors.

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in web server logs
Multiple requests to manage_category.php with suspicious id parameters
Admin login attempts from unusual IPs

Network Indicators:

HTTP requests containing SQL keywords (UNION, SELECT, etc.) in id parameter
Unusual database queries from web server IP

SIEM Query:

source="web_logs" AND uri="/php-lfis/admin/categories/manage_category.php" AND (id="*'*" OR id="*UNION*" OR id="*SELECT*")

📊 Metadata

CVE ID: CVE-2024-37858

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: July 29, 2024

Last Updated: April 23, 2025

🔗 References

http://lost.com Not Applicable
https://packetstormsecurity.com/files/179079/Lost-And-Found-Information-System-1.0-SQL-Injection.html Exploit
https://www.sourcecodester.com/ Product
http://lost.com Not Applicable
https://packetstormsecurity.com/files/179079/Lost-And-Found-Information-System-1.0-SQL-Injection.html Exploit
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37858, you might also want to check these: