Login Sign Up

CVE-2024-8346

6.3 MEDIUM
SQL Injection

📋 TL;DR

This critical SQL injection vulnerability in SourceCodester Computer Laboratory Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the 'name' parameter in the update_settings_info function. Attackers can potentially read, modify, or delete database contents, including sensitive system data. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:
  • SourceCodester Computer Laboratory Management System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of version 1.0 are vulnerable by default

📦 What is this software?

Computer Laboratory Management System by Oretnom23

View all CVEs affecting Computer Laboratory Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, system takeover, or destruction of all laboratory management data

🟠

Likely Case

Unauthorized data access and modification, potentially exposing sensitive laboratory records and user information

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit available on GitHub, simple SQL injection requiring minimal technical skill

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement parameterized queries or prepared statements in /classes/SystemSettings.php to prevent SQL injection

Modify PHP code to use PDO or mysqli prepared statements for all database queries

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection attempts targeting the vulnerable endpoint

Add WAF rule: Block requests containing SQL keywords targeting /classes/SystemSettings.php?f=update_settings

🧯 If You Can't Patch

  • Restrict network access to the application to trusted IP addresses only
  • Implement database user with minimal necessary permissions (read-only where possible)

🔍 How to Verify

Check if Vulnerable:

Test the /classes/SystemSettings.php?f=update_settings endpoint with SQL injection payloads in the 'name' parameter

Check Version:

Check application version in admin panel or review source code for version markers

Verify Fix Applied:

Attempt SQL injection after implementing parameterized queries and verify database errors no longer occur

📡 Detection & Monitoring

Log Indicators:

  • Unusual database queries from web server process
  • SQL syntax errors in application logs
  • Multiple failed login attempts following SQL errors

Network Indicators:

  • HTTP POST requests to /classes/SystemSettings.php containing SQL keywords (SELECT, UNION, etc.)

SIEM Query:

source="web_logs" AND uri="/classes/SystemSettings.php" AND (query="*SELECT*" OR query="*UNION*" OR query="*OR 1=1*")

📊 Metadata

CVE ID: CVE-2024-8346
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: August 30, 2024
Last Updated: September 4, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8346, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)