Login Sign Up

CVE-2024-5517

7.3 HIGH
SQL Injection

📋 TL;DR

This is a critical SQL injection vulnerability in Online Blood Bank Management System 1.0 that allows attackers to execute arbitrary SQL commands via the useremail parameter in changepwd.php. Attackers can potentially access, modify, or delete database contents including sensitive medical data. All systems running this specific software version are affected.

💻 Affected Systems

Products:
  • itsourcecode Online Blood Bank Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the changepwd.php file specifically. Any installation with this file accessible is vulnerable.

📦 What is this software?

Online Blood Bank Management System by Adonesevangelista

View all CVEs affecting Online Blood Bank Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized access to sensitive patient/donor data, manipulation of blood bank records, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly available on GitHub. Attack requires access to the password change functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

1. Replace changepwd.php with a secure version using parameterized queries. 2. Implement proper input validation for useremail parameter. 3. Sanitize all user inputs before database interaction.

🔧 Temporary Workarounds

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns targeting changepwd.php

File Access Restriction

all

Restrict access to changepwd.php file using authentication or IP whitelisting

🧯 If You Can't Patch

  • Implement network segmentation to isolate the vulnerable system
  • Enable detailed logging and monitoring for SQL injection attempts on changepwd.php

🔍 How to Verify

Check if Vulnerable:

Test the changepwd.php endpoint with SQL injection payloads in the useremail parameter

Check Version:

Check software version in system configuration or about page

Verify Fix Applied:

Verify that parameterized queries are implemented and SQL injection attempts no longer succeed

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed password change attempts
  • SQL syntax errors in application logs

Network Indicators:

  • HTTP POST requests to changepwd.php containing SQL keywords
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="/changepwd.php" AND (useremail CONTAINS "UNION" OR useremail CONTAINS "SELECT" OR useremail CONTAINS "--")

📊 Metadata

CVE ID: CVE-2024-5517
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: May 30, 2024
Last Updated: February 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5517, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)