CVE-2024-53603 – This SQL injection vulnerability in PHPGurukul ... (How to Fix)

Q: What is the severity of CVE-2024-53603?

CVE-2024-53603 has a CVSS score of 7.3 (HIGH). This SQL injection vulnerability in PHPGurukul COVID 19 Testing Management System allows remote attackers to execute arbitrary SQL commands via the contactno parameter in the password recovery function. Attackers could potentially access, modify, or delete database content. All deployments of version 1.0 are affected.

📋 TL;DR

This SQL injection vulnerability in PHPGurukul COVID 19 Testing Management System allows remote attackers to execute arbitrary SQL commands via the contactno parameter in the password recovery function. Attackers could potentially access, modify, or delete database content. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

PHPGurukul COVID 19 Testing Management System

Versions: v1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of version 1.0. The vulnerability is in a core authentication-related function.

📦 What is this software?

Covid19 Testing Management System by Phpgurukul

View all CVEs affecting Covid19 Testing Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, remote code execution via database functions, and potential system takeover.

🟠

Likely Case

Database information disclosure, credential theft, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The password recovery page is typically accessible without authentication. SQL injection via POST parameter is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider migrating to a supported alternative or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to only accept numeric values for contactno parameter

Add to password-recovery.php: if(!is_numeric($_POST['contactno'])) { die('Invalid input'); }

WAF Rule

all

Block SQL injection patterns in contactno parameter

WAF rule: Block requests with SQL keywords in contactno parameter

🧯 If You Can't Patch

Disable the password recovery functionality entirely
Implement network segmentation to restrict access to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Test the /covid-tms/password-recovery.php endpoint with SQL injection payloads in contactno parameter

Check Version:

Check application version in source code or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and input validation is enforced

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed password recovery attempts with SQL patterns

Network Indicators:

POST requests to password-recovery.php containing SQL keywords

SIEM Query:

source="web_logs" AND url="/covid-tms/password-recovery.php" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "OR 1=1")

📊 Metadata

CVE ID: CVE-2024-53603

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-89

Published: November 27, 2024

Last Updated: March 27, 2025

🔗 References

https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/COVID19/SQL%20Injection%20vulnerability.pdf Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53603, you might also want to check these: