CVE-2024-8348 – This critical vulnerability allows remote attac... (How to Fix)

Q: What is the severity of CVE-2024-8348?

CVE-2024-8348 has a CVSS score of 6.3 (MEDIUM). This critical vulnerability allows remote attackers to execute arbitrary SQL commands via the delete_category function in SourceCodester Computer Laboratory Management System 1.0. Attackers can manipulate the 'id' parameter to inject malicious SQL, potentially compromising the database. All users running the vulnerable version are affected.

📋 TL;DR

This critical vulnerability allows remote attackers to execute arbitrary SQL commands via the delete_category function in SourceCodester Computer Laboratory Management System 1.0. Attackers can manipulate the 'id' parameter to inject malicious SQL, potentially compromising the database. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

SourceCodester Computer Laboratory Management System

Versions: 1.0

Operating Systems: Any OS running PHP with database backend

Default Config Vulnerable: ⚠️ Yes

Notes: Requires PHP environment with database connectivity; vulnerability exists in default installation.

📦 What is this software?

Computer Laboratory Management System by Oretnom23

View all CVEs affecting Computer Laboratory Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, or deletion; potential privilege escalation to system-level access.

🟠

Likely Case

Unauthorized data access, data exfiltration, or database manipulation leading to system disruption.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploit details are available.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but external threat is higher due to remote nature.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub; SQL injection is well-understood with many automated tools available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.sourcecodester.com/

Restart Required: No

Instructions:

No official patch available. Check vendor website for updates. Consider implementing input validation and parameterized queries manually.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation for the 'id' parameter to only accept expected values.

Modify /classes/Master.php to validate and sanitize the id parameter before SQL execution

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint.

Configure WAF to block requests containing SQL injection patterns to /classes/Master.php?f=delete_category

🧯 If You Can't Patch

Isolate the system from internet access and restrict to internal network only
Implement strict network segmentation and monitor all database access attempts

🔍 How to Verify

Check if Vulnerable:

Check if running version 1.0 of Computer Laboratory Management System; test the /classes/Master.php?f=delete_category endpoint with SQL injection payloads.

Check Version:

Check system documentation or admin panel for version information; examine source code headers.

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed; check that input validation is implemented for the id parameter.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed delete_category requests
Requests with SQL keywords in id parameter

Network Indicators:

HTTP requests to /classes/Master.php?f=delete_category with suspicious parameters
Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="/classes/Master.php" AND query="f=delete_category" AND (id CONTAINS "'" OR id CONTAINS "--" OR id CONTAINS "UNION")

📊 Metadata

CVE ID: CVE-2024-8348

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: August 30, 2024

Last Updated: September 4, 2024

🔗 References

https://github.com/gaorenyusi/gaorenyusi/blob/main/lms3.md Exploit
https://vuldb.com/?ctiid.276230 Permissions Required
https://vuldb.com/?id.276230 Permissions Required,Third Party Advisory
https://vuldb.com/?submit.400378 Third Party Advisory,VDB Entry
https://www.sourcecodester.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8348, you might also want to check these: