CVE-2024-5237 – This critical SQL injection vulnerability in Ca... (How to Fix)

Q: What is the severity of CVE-2024-5237?

CVE-2024-5237 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in Campcodes Complete Web-Based School Management System 1.0 allows attackers to manipulate database queries through the 'grade' parameter in the /view/timetable_grade_wise.php file. Attackers can potentially read, modify, or delete sensitive school data including student records, grades, and personal information. All users running the vulnerable version are affected.

📋 TL;DR

This critical SQL injection vulnerability in Campcodes Complete Web-Based School Management System 1.0 allows attackers to manipulate database queries through the 'grade' parameter in the /view/timetable_grade_wise.php file. Attackers can potentially read, modify, or delete sensitive school data including student records, grades, and personal information. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

Campcodes Complete Web-Based School Management System

Versions: 1.0

Operating Systems: Any OS running PHP/MySQL web server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific PHP file mentioned; requires web server with PHP and database backend.

📦 What is this software?

Complete Web Based School Management System by Campcodes

View all CVEs affecting Complete Web Based School Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE escalation.

🟠

Likely Case

Unauthorized access to sensitive student and staff data, grade manipulation, or system disruption.

🟢

If Mitigated

Limited impact with proper input validation and database permissions in place.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploits exist.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available in GitHub repositories; SQL injection is straightforward to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Implement workarounds or consider alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameter validation and SQL injection filtering for the 'grade' parameter

Modify /view/timetable_grade_wise.php to validate and sanitize user input before database queries

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to block requests containing SQL keywords in the grade parameter

🧯 If You Can't Patch

Isolate the system behind a firewall with strict access controls
Implement database user with minimal privileges (read-only if possible)

🔍 How to Verify

Check if Vulnerable:

Test the /view/timetable_grade_wise.php endpoint with SQL injection payloads in the grade parameter

Check Version:

Check system documentation or about page for version information

Verify Fix Applied:

Test that SQL injection payloads no longer execute and return appropriate error messages

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from web server
SQL error messages in web logs
Multiple failed login attempts following SQL errors

Network Indicators:

HTTP requests to /view/timetable_grade_wise.php with SQL keywords in parameters

SIEM Query:

source="web_logs" AND uri="/view/timetable_grade_wise.php" AND (param="grade" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "OR 1=1")

📊 Metadata

CVE ID: CVE-2024-5237

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: May 23, 2024

Last Updated: March 1, 2025

🔗 References

https://github.com/E1CHO/cve_hub/blob/main/Complete%20Web-Based%20School%20Management%20System%20-%20sql/Complete%20Web-Based%20School%20Management%20System%20-%20vuln%2027.pdf Exploit,Third Party Advisory
https://vuldb.com/?ctiid.265988 Permissions Required,VDB Entry
https://vuldb.com/?id.265988 Permissions Required,VDB Entry
https://vuldb.com/?submit.339813 Third Party Advisory,VDB Entry
https://github.com/E1CHO/cve_hub/blob/main/Complete%20Web-Based%20School%20Management%20System%20-%20sql/Complete%20Web-Based%20School%20Management%20System%20-%20vuln%2027.pdf Exploit,Third Party Advisory
https://vuldb.com/?ctiid.265988 Permissions Required,VDB Entry
https://vuldb.com/?id.265988 Permissions Required,VDB Entry
https://vuldb.com/?submit.339813 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5237, you might also want to check these: