Login Sign Up

CVE-2024-42843

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2024-42843 is a critical SQL injection vulnerability in Projectworlds Online Examination System v1.0 that allows attackers to execute arbitrary SQL commands via the subject parameter in feed.php. This affects all users running the vulnerable version of this web application, potentially exposing sensitive examination data and system information.

💻 Affected Systems

Products:
  • Projectworlds Online Examination System
Versions: v1.0
Operating Systems: Any OS running PHP web server
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default installation with no specific configuration requirements.

📦 What is this software?

Online Examination System by Projectworlds

View all CVEs affecting Online Examination System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, remote code execution, and full system takeover.

🟠

Likely Case

Unauthorized access to examination data, student records, and administrative credentials stored in the database.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-sensitive data.

🌐 Internet-Facing: HIGH - Web application accessible from internet with unauthenticated SQL injection vector.
🏢 Internal Only: MEDIUM - Still significant risk if internal users can access the vulnerable endpoint.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple SQL injection via GET/POST parameter with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries and input validation in feed.php.

🔧 Temporary Workarounds

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns in subject parameter

# Example ModSecurity rule: SecRule ARGS:subject "@detectSQLi" "id:1001,phase:2,deny,status:403"

Input Validation Filter

all

Add PHP input validation to sanitize subject parameter before database query

<?php
$subject = filter_var($_GET['subject'], FILTER_SANITIZE_STRING);
// Use prepared statements with PDO or mysqli
?>

🧯 If You Can't Patch

  • Isolate the system behind a reverse proxy with strict input validation
  • Implement network segmentation to limit database access from web server

🔍 How to Verify

Check if Vulnerable:

Test feed.php with SQL injection payload: feed.php?subject=1' OR '1'='1

Check Version:

Check system documentation or admin panel for version information

Verify Fix Applied:

Verify parameterized queries are implemented and test with SQL injection payloads

📡 Detection & Monitoring

Log Indicators:

  • SQL syntax errors in PHP/application logs
  • Unusual database queries from web server IP
  • Multiple failed login attempts following SQL injection patterns

Network Indicators:

  • HTTP requests to feed.php with SQL keywords in parameters
  • Abnormal database traffic patterns from web application

SIEM Query:

source="web_logs" AND uri="*feed.php*" AND (param="*UNION*" OR param="*SELECT*" OR param="*OR '1'='1*")

📊 Metadata

CVE ID: CVE-2024-42843
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: August 15, 2024
Last Updated: August 19, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42843, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)