Login Sign Up

CVE-2024-7663

6.3 MEDIUM
SQL Injection

📋 TL;DR

This critical SQL injection vulnerability in SourceCodester Car Driving School Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the 'id' parameter in manage_user.php. Attackers can potentially access, modify, or delete database content. All deployments of this specific software version are affected.

💻 Affected Systems

Products:
  • SourceCodester Car Driving School Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations of version 1.0; vulnerability is in core application code

📦 What is this software?

Car Driving School Management System by Oretnom23

View all CVEs affecting Car Driving School Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, authentication bypass, and potential server takeover via SQL injection to RCE chaining

🟠

Likely Case

Unauthorized data access and modification, credential theft, and potential privilege escalation within the application

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or partial data exposure

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit available; SQL injection via GET/POST parameter manipulation requires minimal technical skill

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection rules to block malicious requests

Input Validation Filter

all

Add input validation to sanitize 'id' parameter before processing

Add parameter validation in manage_user.php: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

🧯 If You Can't Patch

  • Isolate the system from internet access and restrict to internal network only
  • Implement strict network segmentation and monitor all database access attempts

🔍 How to Verify

Check if Vulnerable:

Test manage_user.php with SQL injection payloads in 'id' parameter: manage_user.php?id=1' OR '1'='1

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify input validation rejects non-numeric 'id' values and parameterized queries are used

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed login attempts from single IP
  • Database queries with suspicious patterns

Network Indicators:

  • HTTP requests to manage_user.php with SQL keywords in parameters
  • Unusual database port traffic from web server

SIEM Query:

source="web_logs" AND uri="*manage_user.php*" AND (param="*id=*'*" OR param="*id=*%27*")

📊 Metadata

CVE ID: CVE-2024-7663
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: August 12, 2024
Last Updated: August 15, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7663, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)