Login Sign Up

CVE-2024-4915

6.3 MEDIUM
SQL Injection

📋 TL;DR

This critical SQL injection vulnerability in Campcodes Online Examination System 1.0 allows attackers to manipulate database queries through the 'id' parameter in result.php. Remote attackers can potentially access, modify, or delete sensitive examination data. All users running the vulnerable version are affected.

💻 Affected Systems

Products:
  • Campcodes Online Examination System
Versions: 1.0
Operating Systems: Any OS running PHP/MySQL web server
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the result.php file specifically. Requires PHP/MySQL environment.

📦 What is this software?

Online Examination System by Campcodes

View all CVEs affecting Online Examination System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including student records, exam results, administrative credentials, and potential system takeover.

🟠

Likely Case

Data exfiltration of sensitive student information and exam results, with possible data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting unauthorized access.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit exists.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on GitHub. SQL injection via 'id' parameter requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider replacing with alternative software or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Modify result.php to use prepared statements and validate/sanitize the 'id' parameter

Replace SQL queries with PDO or mysqli prepared statements
Add input validation: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to block SQL injection patterns in URL parameters
Add rule: SecRule ARGS:id "@detectSQLi" "id:1001,phase:2,deny"

🧯 If You Can't Patch

  • Isolate the system behind a firewall with strict access controls
  • Implement database-level protections: restrict user permissions, enable logging

🔍 How to Verify

Check if Vulnerable:

Test result.php?id=1' OR '1'='1 to see if SQL error appears

Check Version:

Check system documentation or admin panel for version information

Verify Fix Applied:

Test with SQL injection payloads and verify proper error handling

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in web server logs
  • Multiple requests to result.php with special characters in id parameter

Network Indicators:

  • SQL injection patterns in HTTP requests
  • Unusual database query patterns

SIEM Query:

source="web_logs" AND uri="*result.php*" AND (query="*' OR*" OR query="*UNION*" OR query="*SELECT*FROM*")

📊 Metadata

CVE ID: CVE-2024-4915
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: May 15, 2024
Last Updated: February 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4915, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)