CVE-2024-4926 – This is a critical SQL injection vulnerability ... (How to Fix)

Q: What is the severity of CVE-2024-4926?

CVE-2024-4926 has a CVSS score of 6.3 (MEDIUM). This is a critical SQL injection vulnerability in SourceCodester School Intramurals Student Attendance Management System 1.0. Attackers can manipulate the 'id' parameter in /intrams_sams/manage_student.php to execute arbitrary SQL commands remotely. All deployments of version 1.0 are affected.

📋 TL;DR

This is a critical SQL injection vulnerability in SourceCodester School Intramurals Student Attendance Management System 1.0. Attackers can manipulate the 'id' parameter in /intrams_sams/manage_student.php to execute arbitrary SQL commands remotely. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

SourceCodester School Intramurals Student Attendance Management System

Versions: 1.0

Operating Systems: All platforms running PHP/MySQL

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. No special configuration required for exploitation.

📦 What is this software?

School Intramurals Student Attendance Management System by Oretnom23

View all CVEs affecting School Intramurals Student Attendance Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized access to student attendance data, personal information exposure, and potential system takeover.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-sensitive data.

🌐 Internet-Facing: HIGH - Attack can be launched remotely without authentication, making internet-facing instances extremely vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code exists on GitHub. Attack requires no authentication and uses simple SQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Modify manage_student.php to use prepared statements and validate the 'id' parameter

Replace vulnerable SQL queries with PDO or mysqli prepared statements

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to block SQL injection patterns in POST/GET parameters

🧯 If You Can't Patch

Isolate the system behind a reverse proxy with strict input validation
Implement network segmentation to limit database access from the web server

🔍 How to Verify

Check if Vulnerable:

Test the /intrams_sams/manage_student.php endpoint with SQL injection payloads in the 'id' parameter

Check Version:

Check system documentation or about page for version information

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return error messages

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web server logs
Multiple requests with SQL keywords in parameters
Requests to manage_student.php with suspicious 'id' values

Network Indicators:

SQL syntax in HTTP parameters
Database error responses in HTTP traffic

SIEM Query:

source="web_server" AND (url="*manage_student.php*" AND (param="*id=*UNION*" OR param="*id=*SELECT*" OR param="*id=*OR*"))

📊 Metadata

CVE ID: CVE-2024-4926

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: May 16, 2024

Last Updated: February 10, 2025

🔗 References

https://github.com/Hefei-Coffee/cve/blob/main/sql7.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.264462 Permissions Required,VDB Entry
https://vuldb.com/?id.264462 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.333879 Third Party Advisory,VDB Entry
https://github.com/Hefei-Coffee/cve/blob/main/sql7.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.264462 Permissions Required,VDB Entry
https://vuldb.com/?id.264462 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.333879 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4926, you might also want to check these: