Login Sign Up

CVE-2024-7223

6.3 MEDIUM
SQL Injection

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in the /view_model.php file of SourceCodester Lot Reservation Management System 1.0. This SQL injection can lead to unauthorized data access, modification, or deletion. All users running the affected version are vulnerable to exploitation.

💻 Affected Systems

Products:
  • SourceCodester Lot Reservation Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation and requires no special configuration to be exploitable.

📦 What is this software?

Lot Reservation Management System by Oretnom23

View all CVEs affecting Lot Reservation Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential server takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized access to sensitive reservation data, user information, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or limited data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available and SQL injection vulnerabilities are commonly weaponized due to their impact and ease of exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch is available. Consider implementing input validation and parameterized queries as a workaround.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for the 'id' parameter in /view_model.php to only accept expected data types and ranges.

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block SQL injection patterns targeting the /view_model.php endpoint.

🧯 If You Can't Patch

  • Isolate the system from the internet and restrict access to authorized users only
  • Implement network segmentation and monitor all traffic to/from the vulnerable system

🔍 How to Verify

Check if Vulnerable:

Test the /view_model.php endpoint with SQL injection payloads in the 'id' parameter and observe database errors or unexpected behavior.

Check Version:

Check the application version in the admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that input validation is properly implemented.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple requests to /view_model.php with suspicious 'id' parameter values

Network Indicators:

  • SQL keywords in HTTP GET parameters
  • Unusual database query patterns from the application server

SIEM Query:

source="web_logs" AND uri="/view_model.php" AND (param="id" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|--|#|;)")

📊 Metadata

CVE ID: CVE-2024-7223
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: July 30, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7223, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)