Login Sign Up

CVE-2024-41551

9.8 CRITICAL
SQL Injection

📋 TL;DR

CampCodes Supplier Management System v1.0 contains a SQL injection vulnerability in the admin view_order_items.php endpoint that allows attackers to execute arbitrary SQL commands. This affects all deployments of this specific software version. Attackers can potentially access, modify, or delete database content through this vulnerability.

💻 Affected Systems

Products:
  • CampCodes Supplier Management System
Versions: v1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the admin interface at /admin/view_order_items.php with the 'id' parameter.

📦 What is this software?

Supplier Management System by Campcodes

View all CVEs affecting Supplier Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized access to sensitive supplier and order data, potential privilege escalation, and data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin access but SQL injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries and input validation in the affected PHP file.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add input validation and parameterized queries to the view_order_items.php file

Edit /admin/view_order_items.php to use prepared statements with PDO or mysqli

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to detect and block SQL injection attempts on the /admin/view_order_items.php endpoint

🧯 If You Can't Patch

  • Restrict access to the admin interface using IP whitelisting or VPN
  • Implement database user with minimal permissions (read-only if possible)

🔍 How to Verify

Check if Vulnerable:

Test the /admin/view_order_items.php?id= parameter with SQL injection payloads like ' OR '1'='1

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Test with SQL injection payloads after implementing parameterized queries; successful fix should return error or no data

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in web server logs
  • Multiple failed login attempts followed by SQL injection patterns
  • Unusual database queries from web application user

Network Indicators:

  • HTTP requests to /admin/view_order_items.php with SQL keywords in parameters
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="/admin/view_order_items.php" AND (param="id" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "OR '1'='1")

📊 Metadata

CVE ID: CVE-2024-41551
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: July 24, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41551, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)