Login Sign Up

CVE-2024-9797

7.3 HIGH
SQL Injection

📋 TL;DR

This critical SQL injection vulnerability in Blood Bank System 1.0 allows attackers to manipulate database queries through the user parameter in register.php. Remote attackers can potentially access, modify, or delete sensitive blood bank data including donor information and medical records. All deployments of Blood Bank System 1.0 with the vulnerable register.php file are affected.

💻 Affected Systems

Products:
  • code-projects Blood Bank System
Versions: 1.0
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Any installation with register.php accessible is vulnerable; no special configuration required

📦 What is this software?

Blood Bank System by Code Projects

View all CVEs affecting Blood Bank System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining

🟠

Likely Case

Unauthorized access to sensitive donor medical data, blood inventory records, and personal information

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication
🏢 Internal Only: MEDIUM - Still exploitable by internal threats but attack surface reduced

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit available on GitHub; simple SQL injection requiring minimal technical skill

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Manually fix register.php by implementing parameterized queries or input validation for the user parameter.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the user parameter before SQL processing

Edit register.php and add: $user = mysqli_real_escape_string($connection, $_POST['user']);

Web Application Firewall

all

Deploy WAF with SQL injection rules to block malicious requests

🧯 If You Can't Patch

  • Restrict network access to the Blood Bank System using firewall rules
  • Implement database user with minimal permissions (SELECT only where possible)

🔍 How to Verify

Check if Vulnerable:

Test register.php endpoint with SQL injection payloads like: user=admin' OR '1'='1

Check Version:

Check PHP files for version comments or review installation documentation

Verify Fix Applied:

Attempt SQL injection tests after implementing parameterized queries; verify no database errors or unexpected behavior

📡 Detection & Monitoring

Log Indicators:

  • SQL syntax errors in PHP/application logs
  • Unusual database queries from register.php
  • Multiple failed login attempts with SQL characters

Network Indicators:

  • HTTP POST requests to register.php containing SQL keywords (UNION, SELECT, INSERT)
  • Abnormal response patterns from register.php endpoint

SIEM Query:

source="web_logs" AND uri="/register.php" AND (request LIKE "%UNION%" OR request LIKE "%SELECT%" OR request LIKE "%' OR '%")

📊 Metadata

CVE ID: CVE-2024-9797
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: October 10, 2024
Last Updated: October 15, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9797, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)