Login Sign Up

CVE-2024-8868

7.3 HIGH
SQL Injection

📋 TL;DR

CVE-2024-8868 is a critical SQL injection vulnerability in code-projects Crud Operation System 1.0 that allows remote attackers to execute arbitrary SQL commands via the 'sname' parameter in savedata.php. This affects all deployments of version 1.0, potentially compromising database integrity and confidentiality.

💻 Affected Systems

Products:
  • code-projects Crud Operation System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of version 1.0 are vulnerable. The vulnerability exists in the default configuration.

📦 What is this software?

Crud Operation System by Code Projects

View all CVEs affecting Crud Operation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, data modification, and potential privilege escalation within the database.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects internet-facing systems directly.
🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available on GitHub, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries for the sname parameter in savedata.php

Modify savedata.php to use prepared statements: $stmt = $conn->prepare('SELECT * FROM table WHERE name = ?'); $stmt->bind_param('s', $sname);

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting savedata.php

Add WAF rule: Block requests to savedata.php containing SQL keywords in sname parameter

🧯 If You Can't Patch

  • Isolate the system behind a reverse proxy with strict input filtering
  • Implement network segmentation to limit database access from the application server

🔍 How to Verify

Check if Vulnerable:

Test savedata.php with SQL injection payloads in the sname parameter (e.g., sname=' OR '1'='1)

Check Version:

Check application version in configuration files or about pages

Verify Fix Applied:

Verify that parameterized queries are implemented and SQL injection attempts return errors or are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts via savedata.php
  • SQL syntax errors in application logs

Network Indicators:

  • Unusual POST requests to savedata.php with SQL keywords
  • High volume of requests to savedata.php endpoint

SIEM Query:

source=web_logs url="/savedata.php" AND (sname="*OR*" OR sname="*UNION*" OR sname="*SELECT*" OR sname="*INSERT*")

📊 Metadata

CVE ID: CVE-2024-8868
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: September 15, 2024
Last Updated: September 17, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8868, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)