CVE-2024-9078 – This critical SQL injection vulnerability in St... (How to Fix)

Q: What is the severity of CVE-2024-9078?

CVE-2024-9078 has a CVSS score of 7.3 (HIGH). This critical SQL injection vulnerability in Student Record System 1.0 allows remote attackers to execute arbitrary SQL commands via the coursename parameter in course.php. Successful exploitation could lead to data theft, modification, or deletion. All deployments of Student Record System 1.0 are affected.

📋 TL;DR

This critical SQL injection vulnerability in Student Record System 1.0 allows remote attackers to execute arbitrary SQL commands via the coursename parameter in course.php. Successful exploitation could lead to data theft, modification, or deletion. All deployments of Student Record System 1.0 are affected.

💻 Affected Systems

Products:

Student Record System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. No specific OS requirements mentioned.

📦 What is this software?

Student Record System by Code Projects

View all CVEs affecting Student Record System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, privilege escalation, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized access to student records, grade manipulation, user data theft, and potential system takeover.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only read access to non-sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. SQL injection is a well-understood attack vector with many automated tools available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for updates 2. If patch available, download and apply 3. Test functionality after update

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize coursename parameter

Modify course.php to add parameterized queries or input sanitization

WAF Rule

all

Implement web application firewall rules to block SQL injection patterns

Add WAF rule: deny requests containing SQL keywords in coursename parameter

🧯 If You Can't Patch

Isolate the system from internet access and restrict to internal network only
Implement strict network segmentation and monitor all database queries from the application

🔍 How to Verify

Check if Vulnerable:

Test coursename parameter with SQL injection payloads like ' OR '1'='1

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Test with same payloads and verify they are rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from course.php
SQL error messages in application logs
Multiple failed login attempts after SQL injection

Network Indicators:

Unusual SQL patterns in HTTP requests to course.php
Large data exfiltration from database

SIEM Query:

source="web_logs" AND uri="/course.php" AND (query CONTAINS "UNION" OR query CONTAINS "SELECT" OR query CONTAINS "OR '1'='1'")

📊 Metadata

CVE ID: CVE-2024-9078

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: September 22, 2024

Last Updated: September 26, 2024

🔗 References

https://code-projects.org/ Product
https://github.com/ppp-src/a/issues/15 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.278248 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.278248 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.411542 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9078, you might also want to check these: