CVE-2024-7871 – This SQL injection vulnerability in Easytest On... (How to Fix)

📋 TL;DR

This SQL injection vulnerability in Easytest Online Test Platform allows authenticated attackers to execute arbitrary SQL commands through the word parameter in the online dictionary function. Attackers could potentially read, modify, or delete database contents. All users of Easytest Online Test Platform version 24E01 and earlier are affected.

💻 Affected Systems

Products:

Easytest Online Test Platform

Versions: 24E01 and earlier

Operating Systems: All platforms running the software

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to exploit the vulnerable dictionary function.

📦 What is this software?

Easytest Online Test Platform by Easytest

View all CVEs affecting Easytest Online Test Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized data access, privilege escalation, or data manipulation within the application database.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permissions restricting damage scope.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection via word parameter requires authenticated user access but is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check vendor website for security updates
2. Apply any available patches for version 24E01 or later
3. Verify fix implementation

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to reject malicious SQL characters in word parameter

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting the dictionary endpoint

🧯 If You Can't Patch

Disable the online dictionary function entirely if not required
Implement strict database user permissions with least privilege access

🔍 How to Verify

Check if Vulnerable:

Test the dictionary function with SQL injection payloads in the word parameter while authenticated

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify parameterized queries are used and SQL injection attempts are properly rejected

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed login attempts followed by dictionary function access
SQL syntax errors in application error logs

Network Indicators:

HTTP requests to dictionary endpoint with SQL keywords in parameters
Unusual database connection patterns from application server

SIEM Query:

source="app_logs" AND ("UNION SELECT" OR "' OR '1'='1" OR "EXEC(") AND uri="*/dictionary*"

📊 Metadata

CVE ID: CVE-2024-7871

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: September 2, 2024

Last Updated: January 23, 2026

🔗 References

https://zuso.ai/advisory/za-2024-04 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7871, you might also want to check these: