CVE-2024-4917 – This is a critical SQL injection vulnerability ... (How to Fix)

Q: What is the severity of CVE-2024-4917?

CVE-2024-4917 has a CVSS score of 6.3 (MEDIUM). This is a critical SQL injection vulnerability in Campcodes Online Examination System 1.0 that allows attackers to manipulate database queries through the exmne_id parameter in submitAnswerExe.php. Attackers can execute arbitrary SQL commands remotely, potentially compromising the entire database. All users running the vulnerable version are affected.

📋 TL;DR

This is a critical SQL injection vulnerability in Campcodes Online Examination System 1.0 that allows attackers to manipulate database queries through the exmne_id parameter in submitAnswerExe.php. Attackers can execute arbitrary SQL commands remotely, potentially compromising the entire database. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

Campcodes Online Examination System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation. No special configuration is required for exploitation.

📦 What is this software?

Online Examination System by Campcodes

View all CVEs affecting Online Examination System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution if database functions allow it.

🟠

Likely Case

Data exfiltration of sensitive examination data, student records, and authentication credentials, potentially leading to system takeover.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection attempts would still be logged.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on GitHub, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider migrating to a supported alternative or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Modify submitAnswerExe.php to implement proper input validation and use prepared statements with parameterized queries.

Edit submitAnswerExe.php to replace direct SQL concatenation with PDO or mysqli prepared statements

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious requests.

Configure WAF rules to block SQL injection patterns in exmne_id parameter

🧯 If You Can't Patch

Isolate the system from the internet and restrict access to authorized users only
Implement strict network segmentation and monitor all database access attempts

🔍 How to Verify

Check if Vulnerable:

Test the submitAnswerExe.php endpoint with SQL injection payloads in the exmne_id parameter and observe database errors or unexpected behavior.

Check Version:

Check the system documentation or configuration files for version information, typically in readme files or admin panels.

Verify Fix Applied:

After implementing parameterized queries, test with SQL injection payloads to confirm they are properly sanitized and no longer execute.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL syntax in web server logs for submitAnswerExe.php
Database error logs showing SQL syntax errors from web application

Network Indicators:

HTTP requests to submitAnswerExe.php containing SQL keywords in parameters
Unusual database query patterns from web server IP

SIEM Query:

source="web_server" AND uri="/submitAnswerExe.php" AND (param="exmne_id" AND value MATCH "(?i)(union|select|insert|update|delete|drop|--|#|;)")

📊 Metadata

CVE ID: CVE-2024-4917

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: May 15, 2024

Last Updated: February 21, 2025

🔗 References

https://github.com/yylmm/CVE/blob/main/Online%20Examination%20System%20With%20Timer/SQL_submitAnswerExe.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.264452 Permissions Required,VDB Entry
https://vuldb.com/?id.264452 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.333410 Third Party Advisory,VDB Entry
https://github.com/yylmm/CVE/blob/main/Online%20Examination%20System%20With%20Timer/SQL_submitAnswerExe.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.264452 Permissions Required,VDB Entry
https://vuldb.com/?id.264452 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.333410 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4917, you might also want to check these: