Login Sign Up

CVE-2024-8219

7.3 HIGH
SQL Injection

📋 TL;DR

CVE-2024-8219 is a critical SQL injection vulnerability in Responsive Hotel Site 1.0 that allows remote attackers to execute arbitrary SQL commands via the name, phone, or email parameters in index.php. This affects all users running the vulnerable version of this hotel management software.

💻 Affected Systems

Products:
  • Responsive Hotel Site
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the index.php file specifically through name, phone, and email parameters. No authentication required for exploitation.

📦 What is this software?

Responsive Hotel Site by Fabian

View all CVEs affecting Responsive Hotel Site →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, authentication bypass, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized database access allowing extraction of sensitive guest information, booking data, and administrative credentials.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub and VulDB. Simple SQL injection requiring minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for updates. 2. If no patch available, implement workarounds. 3. Consider replacing with alternative software.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to sanitize name, phone, and email parameters before processing.

// PHP example: filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING);

WAF Rule Implementation

linux

Deploy web application firewall rules to block SQL injection patterns targeting index.php parameters.

# ModSecurity example: SecRule ARGS "(?i:(union|select|insert|update|delete|drop).*)" "deny,status:403"

🧯 If You Can't Patch

  • Isolate the vulnerable system behind a reverse proxy with strict input filtering
  • Implement network segmentation to limit database access from the web server

🔍 How to Verify

Check if Vulnerable:

Test index.php with SQL injection payloads in name, phone, or email parameters and observe database errors or unexpected behavior.

Check Version:

Check software version in admin panel or readme files

Verify Fix Applied:

Attempt SQL injection after fixes and confirm proper error handling without database interaction.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL syntax in POST parameters to index.php
  • Database error messages in web server logs
  • Multiple failed parameter manipulation attempts

Network Indicators:

  • POST requests to index.php with SQL keywords in parameters
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/index.php" AND (param_name="name" OR param_name="phone" OR param_name="email") AND (query="SELECT" OR query="UNION" OR query="INSERT")

📊 Metadata

CVE ID: CVE-2024-8219
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: August 27, 2024
Last Updated: October 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8219, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)