Login Sign Up

CVE-2024-54810

9.8 CRITICAL
SQL Injection

📋 TL;DR

A SQL injection vulnerability in the PHPGurukul Pre-School Enrollment System allows remote attackers to execute arbitrary SQL commands via the mobileno parameter in the password recovery function. This can lead to unauthorized data access, modification, or deletion. All installations of version 1.0 are affected.

💻 Affected Systems

Products:
  • PHPGurukul Pre-School Enrollment System Project
Versions: v1.0
Operating Systems: Any OS running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the admin/password-recovery.php endpoint to be accessible.

📦 What is this software?

Pre School Enrollment System by Phpgurukul

View all CVEs affecting Pre School Enrollment System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, system takeover, or ransomware deployment via SQL injection to RCE escalation.

🟠

Likely Case

Unauthorized access to sensitive student/parent data, credential theft, or database manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept available in GitHub repository. Exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation or replacing the system.

🔧 Temporary Workarounds

Input Validation Implementation

all

Add server-side validation to sanitize mobileno parameter before SQL query execution.

Modify /preschool/admin/password-recovery.php to validate mobileno parameter using prepared statements or parameterized queries.

Access Restriction

all

Restrict access to vulnerable endpoint using web server configuration.

Add .htaccess rule: Deny from all
Or configure web server to block /preschool/admin/password-recovery.php

🧯 If You Can't Patch

  • Implement WAF rules to block SQL injection patterns targeting the mobileno parameter.
  • Isolate the system behind network segmentation and restrict database access permissions.

🔍 How to Verify

Check if Vulnerable:

Test the /preschool/admin/password-recovery.php endpoint with SQL injection payloads in mobileno parameter.

Check Version:

Check system documentation or configuration files for version information.

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that input validation is properly implemented.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed password recovery attempts with suspicious mobileno values

Network Indicators:

  • HTTP requests to /preschool/admin/password-recovery.php with SQL injection patterns in parameters

SIEM Query:

source="web_logs" AND uri="/preschool/admin/password-recovery.php" AND (param="mobileno" AND value MATCHES "[';]|UNION|SELECT|OR 1=1")

📊 Metadata

CVE ID: CVE-2024-54810
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 12, 2024
Last Updated: April 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54810, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)