CVE-2024-7637 – CVE-2024-7637 is a critical SQL injection vulne... (How to Fix)

Q: What is the severity of CVE-2024-7637?

CVE-2024-7637 has a CVSS score of 7.3 (HIGH). CVE-2024-7637 is a critical SQL injection vulnerability in code-projects Online Polling 1.0 that allows remote attackers to execute arbitrary SQL commands via the email parameter in registeracc.php. This affects all installations of Online Polling 1.0 with the vulnerable registration component exposed. Attackers can potentially access, modify, or delete database content without authentication.

📋 TL;DR

CVE-2024-7637 is a critical SQL injection vulnerability in code-projects Online Polling 1.0 that allows remote attackers to execute arbitrary SQL commands via the email parameter in registeracc.php. This affects all installations of Online Polling 1.0 with the vulnerable registration component exposed. Attackers can potentially access, modify, or delete database content without authentication.

💻 Affected Systems

Products:

code-projects Online Polling

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with registeracc.php accessible are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Online Polling by Fabian

View all CVEs affecting Online Polling →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining

🟠

Likely Case

Unauthorized access to sensitive user data, poll manipulation, or administrative account takeover

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and affects internet-facing registration functionality

🏢 Internal Only: MEDIUM - Internal systems still vulnerable but attack surface is reduced compared to internet-facing deployments

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available and requires minimal technical skill to execute. The vulnerability is in a straightforward parameter with no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider applying manual fixes or migrating to alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameterized queries or proper input sanitization to registeracc.php email parameter

Edit registeracc.php to replace direct SQL concatenation with prepared statements using mysqli or PDO

Web Application Firewall Rules

all

Block SQL injection patterns targeting the email parameter

Add WAF rule: deny requests to registeracc.php containing SQL keywords in email parameter

🧯 If You Can't Patch

Disable or remove registeracc.php file if registration functionality is not required
Implement network-level restrictions to limit access to the vulnerable endpoint to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Test registeracc.php with SQL injection payloads in email parameter (e.g., email=test' OR '1'='1)

Check Version:

Check software version in admin panel or readme files; this affects only version 1.0

Verify Fix Applied:

Attempt SQL injection after applying fixes; successful injection should be blocked

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed registration attempts with SQL syntax in email field
Database queries from unexpected sources

Network Indicators:

HTTP POST requests to registeracc.php containing SQL keywords (UNION, SELECT, INSERT, etc.) in parameters

SIEM Query:

source="web_logs" AND uri="/registeracc.php" AND (email="*'*" OR email="*UNION*" OR email="*SELECT*")

📊 Metadata

CVE ID: CVE-2024-7637

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: August 12, 2024

Last Updated: October 23, 2025

🔗 References

https://github.com/space-security/cve/issues/3 Exploit,Issue Tracking
https://vuldb.com/?ctiid.274058 Permissions Required,VDB Entry
https://vuldb.com/?id.274058 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?submit.387088 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7637, you might also want to check these: