CVE-2024-44648 – PHPGurukul Small CRM 3.0 contains SQL injection... (How to Fix)

📋 TL;DR

PHPGurukul Small CRM 3.0 contains SQL injection vulnerabilities in the quote-details.php file via id and adminremark parameters. This allows attackers to execute arbitrary SQL commands on the database. Organizations using this specific CRM version are affected.

💻 Affected Systems

Products:

PHPGurukul Small CRM

Versions: Version 3.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires PHP environment with database connectivity

📦 What is this software?

Small Crm by Phpgurukul

View all CVEs affecting Small Crm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or full system takeover via SQL injection to execute system commands.

🟠

Likely Case

Unauthorized access to sensitive CRM data including customer information, financial records, and business data.

🟢

If Mitigated

Limited data exposure if proper input validation and database permissions are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the quote-details.php endpoint with valid parameters

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://phpgurukul.com/small-crm-php/

Restart Required: No

Instructions:

1. Check vendor website for security updates
2. Apply parameterized queries or input validation
3. Replace vulnerable quote-details.php file

🔧 Temporary Workarounds

Input Validation Workaround

all

Add input validation for id and adminremark parameters

Edit quote-details.php to validate parameters before SQL execution

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns

Configure WAF to detect and block SQL injection attempts on quote-details.php

🧯 If You Can't Patch

Implement strict input validation for all user-supplied parameters
Restrict database user permissions to minimum required access

🔍 How to Verify

Check if Vulnerable:

Test quote-details.php endpoint with SQL injection payloads in id and adminremark parameters

Check Version:

Check CRM version in admin panel or configuration files

Verify Fix Applied:

Verify parameterized queries are implemented and test with SQL injection payloads

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts via quote-details.php

Network Indicators:

SQL keywords in HTTP POST parameters to quote-details.php

SIEM Query:

source="web_logs" AND uri="*quote-details.php*" AND (param="*id=*" OR param="*adminremark=*") AND (content="*UNION*" OR content="*SELECT*" OR content="*INSERT*")

📊 Metadata

CVE ID: CVE-2024-44648

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-89

EPSS Score: 0.04% exploit probability (10.9th percentile)

Published: November 17, 2025

Last Updated: November 19, 2025

🔗 References

https://github.com/leexsoyoung/CVEs/blob/main/CVE-2024-44648.md Exploit,Third Party Advisory
https://phpgurukul.com/small-crm-php/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-44648, you might also want to check these: