CVE-2024-7370 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2024-7370?

CVE-2024-7370 has a CVSS score of 6.3 (MEDIUM). This vulnerability allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in /manage_quiz.php in Simple Realtime Quiz System 1.0. Attackers can potentially read, modify, or delete database content. All users running the vulnerable version are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in /manage_quiz.php in Simple Realtime Quiz System 1.0. Attackers can potentially read, modify, or delete database content. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

SourceCodester Simple Realtime Quiz System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web application component; no specific OS requirements.

📦 What is this software?

Simple Realtime Quiz System by Oretnom23

View all CVEs affecting Simple Realtime Quiz System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized data access, privilege escalation, or database manipulation leading to quiz system compromise.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to quiz data only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit available on GitHub; SQL injection is straightforward to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Modify /manage_quiz.php to validate and sanitize the 'id' parameter using prepared statements.

Edit PHP code to use PDO or mysqli prepared statements for database queries involving the id parameter.

Web Application Firewall (WAF)

all

Deploy a WAF to block SQL injection patterns targeting the /manage_quiz.php endpoint.

Configure WAF rules to detect and block SQL injection attempts in query parameters.

🧯 If You Can't Patch

Restrict network access to the quiz system to trusted IPs only.
Implement database user with minimal privileges (read-only if possible) for the application.

🔍 How to Verify

Check if Vulnerable:

Test the /manage_quiz.php endpoint with SQL injection payloads in the 'id' parameter (e.g., id=1' OR '1'='1).

Check Version:

Check the application version in the admin panel or source code comments.

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that parameterized queries are implemented.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple requests to /manage_quiz.php with suspicious id parameters

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.) in the id parameter

SIEM Query:

source="web_logs" AND uri="/manage_quiz.php" AND (id="*'*" OR id="*SELECT*" OR id="*UNION*")

📊 Metadata

CVE ID: CVE-2024-7370

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: August 1, 2024

Last Updated: August 7, 2024

🔗 References

https://gist.github.com/topsky979/df0a5328ddb5b43ab7fa933aee500155 Exploit
https://vuldb.com/?ctiid.273354 Permissions Required
https://vuldb.com/?id.273354 Third Party Advisory
https://vuldb.com/?submit.383518 VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7370, you might also want to check these: