Login Sign Up

CVE-2024-41550

7.2 HIGH
SQL Injection

📋 TL;DR

CampCodes Supplier Management System v1.0 contains a SQL injection vulnerability in the admin view_invoice_items.php endpoint via the 'id' parameter. This allows attackers to execute arbitrary SQL commands on the database. Organizations using this specific version of the software are affected.

💻 Affected Systems

Products:
  • CampCodes Supplier Management System
Versions: v1.0
Operating Systems: Any OS running PHP web server
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the admin interface to be accessible. The vulnerability is in the default installation.

📦 What is this software?

Supplier Management System by Campcodes

View all CVEs affecting Supplier Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, authentication bypass, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized data access, extraction of sensitive supplier information, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error-based information disclosure.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via web interface, making it directly exploitable from the internet.
🏢 Internal Only: MEDIUM - If only accessible internally, risk is reduced but still significant for insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin access. The vulnerability is well-documented with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Apply input validation and parameterized queries to the affected PHP file.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add input validation and parameterized queries to the vulnerable PHP file to prevent SQL injection.

Edit /admin/view_invoice_items.php to use prepared statements with PDO or mysqli

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious requests.

🧯 If You Can't Patch

  • Restrict access to the admin interface using IP whitelisting or VPN
  • Implement database user with minimal privileges (read-only if possible)

🔍 How to Verify

Check if Vulnerable:

Test the endpoint with SQL injection payloads: /admin/view_invoice_items.php?id=1' OR '1'='1

Check Version:

Check application version in admin panel or readme files

Verify Fix Applied:

Test with same payloads and verify no SQL errors or unexpected data is returned

📡 Detection & Monitoring

Log Indicators:

  • SQL syntax errors in web server logs
  • Unusual database queries from web application user
  • Multiple failed login attempts followed by SQL payloads

Network Indicators:

  • HTTP requests to /admin/view_invoice_items.php with SQL keywords in parameters
  • Unusual database connection patterns from web server

SIEM Query:

source="web_server.log" AND ("SQL syntax" OR "You have an error in your SQL syntax" OR "admin/view_invoice_items.php" AND ("UNION" OR "SELECT" OR "OR '1'='1"))

📊 Metadata

CVE ID: CVE-2024-41550
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: July 24, 2024
Last Updated: May 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41550, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)