Login Sign Up

CVE-2024-40392

9.8 CRITICAL
SQL Injection

📋 TL;DR

This CVE describes a SQL injection vulnerability in the Pharmacy/Medical Store Point of Sale System version 1.0. Attackers can inject malicious SQL commands through the name parameter in addnew.php, potentially compromising the database. Organizations using this specific software version are affected.

💻 Affected Systems

Products:
  • SourceCodester Pharmacy/Medical Store Point of Sale System
Versions: 1.0
Operating Systems: Any OS running PHP/MySQL
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems using the default installation with the vulnerable addnew.php file.

📦 What is this software?

Pharmacy\/medical Store Point Of Sale System by Fkgeo

View all CVEs affecting Pharmacy\/medical Store Point Of Sale System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, authentication bypass, or remote code execution on the database server.

🟠

Likely Case

Unauthorized data access, extraction of sensitive information (patient records, financial data), and potential privilege escalation.

🟢

If Mitigated

Limited to error messages or partial data exposure if input validation and parameterized queries are partially implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection via GET/POST parameters is well-understood with many automated tools available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider replacing with secure software or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries for the name parameter in addnew.php.

Edit addnew.php to replace raw SQL with prepared statements using mysqli or PDO.

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection rules to block malicious requests.

Configure WAF rules to detect and block SQL injection patterns in the name parameter.

🧯 If You Can't Patch

  • Isolate the system from the internet and restrict access to trusted networks only.
  • Implement strict network segmentation and monitor all database access attempts.

🔍 How to Verify

Check if Vulnerable:

Test the name parameter in addnew.php with SQL injection payloads (e.g., ' OR '1'='1) and observe database errors or unexpected behavior.

Check Version:

Check the software version in the admin panel or configuration files.

Verify Fix Applied:

Verify that parameterized queries are implemented in addnew.php and test with SQL injection payloads to ensure they are blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts or parameter manipulation in web server logs

Network Indicators:

  • HTTP requests with SQL keywords (e.g., UNION, SELECT) in the name parameter

SIEM Query:

source="web_server" AND (name="*UNION*" OR name="*SELECT*" OR name="*OR*1*1*")

📊 Metadata

CVE ID: CVE-2024-40392
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: July 16, 2024
Last Updated: May 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40392, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)