CVE-2024-5051 – This critical SQL injection vulnerability in So... (How to Fix)

Q: What is the severity of CVE-2024-5051?

CVE-2024-5051 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in SourceCodester Gas Agency Management System 1.0 allows attackers to manipulate database queries through the edituser.php file's id parameter. Remote attackers can potentially access, modify, or delete sensitive data in the database. All deployments of version 1.0 are affected.

📋 TL;DR

This critical SQL injection vulnerability in SourceCodester Gas Agency Management System 1.0 allows attackers to manipulate database queries through the edituser.php file's id parameter. Remote attackers can potentially access, modify, or delete sensitive data in the database. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

SourceCodester Gas Agency Management System

Versions: 1.0

Operating Systems: Any OS running PHP and MySQL/MariaDB

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. The system requires PHP and a database backend.

📦 What is this software?

Gas Agency Management System by Mayurik

View all CVEs affecting Gas Agency Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including credential theft, data destruction, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, privilege escalation, and data manipulation affecting user accounts and sensitive agency information.

🟢

If Mitigated

Limited impact with proper input validation and database permissions preventing data exfiltration or modification.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit details are available.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider implementing workarounds or replacing the software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameterized queries or input validation to edituser.php

Modify edituser.php to use prepared statements: $stmt = $conn->prepare('SELECT * FROM users WHERE id = ?'); $stmt->bind_param('i', $_GET['id']);

Web Application Firewall Rules

all

Block SQL injection patterns targeting edituser.php

Add WAF rule: SecRule REQUEST_URI "@contains edituser.php" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt detected'"

🧯 If You Can't Patch

Isolate the system behind a firewall with strict access controls
Implement network segmentation and monitor for unusual database queries

🔍 How to Verify

Check if Vulnerable:

Test edituser.php?id=1' OR '1'='1 to see if it returns database errors or unexpected results

Check Version:

Check the software version in admin panel or readme files

Verify Fix Applied:

Test with SQL injection payloads after implementing fixes to ensure they're blocked

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs
Multiple requests to edituser.php with SQL syntax in parameters

Network Indicators:

HTTP requests containing SQL keywords (UNION, SELECT, etc.) targeting edituser.php

SIEM Query:

source="web_logs" AND uri="*edituser.php*" AND (query="*' OR*" OR query="*UNION*" OR query="*SELECT*" OR query="*--*" OR query="*;*" OR query="*/*")

📊 Metadata

CVE ID: CVE-2024-5051

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: May 17, 2024

Last Updated: February 10, 2025

🔗 References

https://github.com/HuoMingZ/aoligei/blob/main/Gas.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.264748 Permissions Required,VDB Entry
https://vuldb.com/?id.264748 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.336010 Third Party Advisory,VDB Entry
https://github.com/HuoMingZ/aoligei/blob/main/Gas.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.264748 Permissions Required,VDB Entry
https://vuldb.com/?id.264748 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.336010 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5051, you might also want to check these: