Login Sign Up

CVE-2024-38347

8.8 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in CodeProjects Health Care Hospital Management System v1.0 allows attackers to execute arbitrary SQL commands through the Room Information module's id parameter. This affects all users running the vulnerable version, potentially compromising database confidentiality, integrity, and availability.

💻 Affected Systems

Products:
  • CodeProjects Health Care Hospital Management System
Versions: v1.0
Operating Systems: Any OS running PHP/MySQL
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations of v1.0; no specific configuration required for vulnerability.

📦 What is this software?

Health Care Hospital Management System by Health Care Hospital Management System Project

View all CVEs affecting Health Care Hospital Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access and extraction of sensitive patient records, hospital operations data, and administrative credentials.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection via GET/POST parameter requires minimal technical skill; exploit tools widely available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries and input validation in Room Information module code.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection rules to block malicious requests

Input Validation Filter

all

Add server-side validation to accept only numeric values for id parameter

// PHP example: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

🧯 If You Can't Patch

  • Isolate the system from internet access and restrict to internal network only
  • Implement strict network segmentation and monitor all database access attempts

🔍 How to Verify

Check if Vulnerable:

Test Room Information module with SQL injection payloads like: ' OR '1'='1 in id parameter

Check Version:

Check system version in admin panel or about page

Verify Fix Applied:

Verify parameterized queries are implemented and test with same payloads expecting proper error handling

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed parameter validation attempts
  • Suspicious database query patterns

Network Indicators:

  • HTTP requests with SQL keywords in parameters
  • Unusual database port traffic from web server

SIEM Query:

web.url:*id=* AND (web.url:*OR* OR web.url:*UNION* OR web.url:*SELECT*)

📊 Metadata

CVE ID: CVE-2024-38347
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 18, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38347, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)