CVE-2024-8368 – CVE-2024-8368 is a critical SQL injection vulne... (How to Fix)

Q: What is the severity of CVE-2024-8368?

CVE-2024-8368 has a CVSS score of 7.3 (HIGH). CVE-2024-8368 is a critical SQL injection vulnerability in the Hospital Management System 1.0 login page that allows attackers to execute arbitrary SQL commands. This affects all systems running the vulnerable software where the login functionality is exposed. Attackers can potentially access, modify, or delete sensitive medical data through this vulnerability.

📋 TL;DR

CVE-2024-8368 is a critical SQL injection vulnerability in the Hospital Management System 1.0 login page that allows attackers to execute arbitrary SQL commands. This affects all systems running the vulnerable software where the login functionality is exposed. Attackers can potentially access, modify, or delete sensitive medical data through this vulnerability.

💻 Affected Systems

Products:

code-projects Hospital Management System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the index.php file in the login component. Any installation with the vulnerable version is affected regardless of configuration.

📦 What is this software?

Hospital Management System by Fabian

View all CVEs affecting Hospital Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to exposure of all patient records, medical data, and administrative credentials, potentially enabling ransomware deployment or data destruction.

🟠

Likely Case

Unauthorized access to patient records and sensitive hospital data, credential theft, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing information disclosure without data modification.

🌐 Internet-Facing: HIGH - The vulnerability is in the login page which is typically internet-facing, and exploitation can be done remotely without authentication.

🏢 Internal Only: MEDIUM - While still dangerous internally, network segmentation and internal controls may limit the blast radius compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details have been publicly disclosed on GitHub, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative hospital management systems or implementing custom fixes with proper input validation and parameterized queries.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to sanitize username input before processing SQL queries

Modify index.php to use prepared statements: $stmt = $conn->prepare('SELECT * FROM users WHERE username = ?'); $stmt->bind_param('s', $username);

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns in login requests

Add WAF rule: SecRule ARGS:username "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

Isolate the Hospital Management System behind a reverse proxy with strict input filtering
Implement network segmentation to limit database access from the application server only

🔍 How to Verify

Check if Vulnerable:

Test the login page with SQL injection payloads like: username=admin' OR '1'='1

Check Version:

Check the software version in the admin panel or review the source code for version markers

Verify Fix Applied:

Attempt SQL injection tests and verify they are blocked or properly handled without database errors

📡 Detection & Monitoring

Log Indicators:

Unusual SQL syntax errors in application logs
Multiple failed login attempts with SQL characters
Successful logins from unusual IP addresses

Network Indicators:

HTTP POST requests to login.php containing SQL keywords like UNION, SELECT, OR

SIEM Query:

source="web_logs" AND (uri="/index.php" OR uri="/login.php") AND (request LIKE "%UNION%" OR request LIKE "%SELECT%" OR request LIKE "%OR%'1'='1%")

📊 Metadata

CVE ID: CVE-2024-8368

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: September 1, 2024

Last Updated: October 23, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/qingluan-bot/cve/issues/1 Exploit
https://vuldb.com/?ctiid.276272 Permissions Required
https://vuldb.com/?id.276272 Third Party Advisory
https://vuldb.com/?submit.400787 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8368, you might also want to check these: