Login Sign Up

CVE-2024-9085

7.3 HIGH
SQL Injection

📋 TL;DR

This critical SQL injection vulnerability in Restaurant Reservation System 1.0 allows remote attackers to execute arbitrary SQL commands by manipulating the 'date' parameter in index.php. This can lead to unauthorized data access, modification, or deletion. All users running the vulnerable version are affected.

💻 Affected Systems

Products:
  • Restaurant Reservation System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the index.php file specifically through the 'date' parameter. The initial advisory incorrectly mentioned 'sid' parameter.

📦 What is this software?

Restaurant Reservation System by Code Projects

View all CVEs affecting Restaurant Reservation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential server takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized access to sensitive reservation data, customer information, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place, potentially only causing application errors.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit has been publicly disclosed and remote attack is possible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

1. Check vendor website for updates 2. Apply any available patches 3. Test functionality after patching

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to only accept properly formatted date values

Add PHP validation: if(!preg_match('/^\d{4}-\d{2}-\d{2}$/', $_GET['date'])) { die('Invalid date format'); }

Parameterized Query Implementation

all

Replace direct SQL concatenation with prepared statements

Replace: $sql = "SELECT * FROM reservations WHERE date = '" . $_GET['date'] . "'";
With: $stmt = $pdo->prepare("SELECT * FROM reservations WHERE date = ?"); $stmt->execute([$_GET['date']]);

🧯 If You Can't Patch

  • Implement web application firewall (WAF) with SQL injection rules
  • Restrict network access to only trusted IP addresses

🔍 How to Verify

Check if Vulnerable:

Test index.php with SQL injection payloads in date parameter: index.php?date=' OR '1'='1

Check Version:

Check application version in admin panel or readme files

Verify Fix Applied:

Test with same payloads and verify they are rejected or properly sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in logs
  • Multiple failed login attempts after date parameter manipulation
  • Suspicious date parameter values containing SQL keywords

Network Indicators:

  • HTTP requests with SQL injection patterns in date parameter
  • Unusual database query patterns from web server

SIEM Query:

source="web_logs" AND (date="*' OR*" OR date="*UNION*" OR date="*SELECT*" OR date="*--*" OR date="*;*" OR date="*/*")

📊 Metadata

CVE ID: CVE-2024-9085
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: September 22, 2024
Last Updated: September 27, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9085, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)