CVE-2024-54934 – Kashipara E-learning Management System v1.0 con... (How to Fix)

Q: What is the severity of CVE-2024-54934?

CVE-2024-54934 has a CVSS score of 9.8 (CRITICAL). Kashipara E-learning Management System v1.0 contains a SQL injection vulnerability in the delete_class.php admin endpoint. This allows attackers to execute arbitrary SQL commands, potentially compromising the entire database. Organizations using this specific version of the software are affected.

📋 TL;DR

Kashipara E-learning Management System v1.0 contains a SQL injection vulnerability in the delete_class.php admin endpoint. This allows attackers to execute arbitrary SQL commands, potentially compromising the entire database. Organizations using this specific version of the software are affected.

💻 Affected Systems

Products:

Kashipara E-learning Management System

Versions: v1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the specific version mentioned; other versions may also be vulnerable but not confirmed.

📦 What is this software?

E Learning Management System by Lopalopa

View all CVEs affecting E Learning Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin access to the delete_class.php endpoint. The referenced PDF contains technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries in delete_class.php and validate/sanitize all user inputs.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to sanitize user inputs in delete_class.php

Modify PHP code to use prepared statements with parameterized queries

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to detect and block SQL injection attempts

🧯 If You Can't Patch

Restrict access to /admin/delete_class.php endpoint using network ACLs
Implement database user with minimal privileges for the application

🔍 How to Verify

Check if Vulnerable:

Test the delete_class.php endpoint with SQL injection payloads (e.g., ' OR '1'='1) and observe database behavior

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Attempt SQL injection after implementing parameterized queries; successful queries should fail

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from delete_class.php
Multiple failed delete attempts with SQL syntax

Network Indicators:

HTTP POST requests to delete_class.php containing SQL keywords

SIEM Query:

source="web_logs" AND uri="/admin/delete_class.php" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "OR '1'='1'")

📊 Metadata

CVE ID: CVE-2024-54934

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 9, 2024

Last Updated: April 24, 2025

🔗 References

https://github.com/m14r41/Writeups/blob/main/CVE/Kashipara/E-learning%20Management%20System%20project/SQL%20Injection%20-%20delete%20class.pdf Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-54934, you might also want to check these: