A critical vulnerability has been discovered in SourceCodester Simple Student Attendance System version 1.. The affected function is delete_class/delete_student in the /ajax-api.php file of the List of Classes Page component. The vulnerability, identified as CVE-2024-1923, allows an attacker to perform an SQL injection by manipulating the 'id' argument with the input 1337'+or+1=1;--+. This exploit can be launched remotely, and as it has been disclosed to the public, it poses a significant risk to systems running this version of the software.

Exploit Details

Vulnerability type: SQL Injection
Vulnerable Function: delete_class/delete_student
Affected File: /ajax-api.php
Component: List of Classes Page
Vulnerable Input: 1337'+or+1=1;--+
CVE-ID: CVE-2024-1923
VDB-ID: VDB-254858

The attacker can exploit this vulnerability by sending a specially crafted request containing the 1337'+or+1=1;--+ payload to the server running the vulnerable software. This would allow them to manipulate the SQL query and, in turn, compromise the integrity of the data stored in the application's database.

Example Code Snippet

Below is an example of a vulnerable code snippet in the /ajax-api.php file of the affected application:

<?php

// ... some code ...

if($_GET['action'] == 'delete_class' || $_GET['action'] == 'delete_student') {
    $id = $_GET['id']; // User-controlled input

    if($_GET['action'] == 'delete_class') {
      $query = "DELETE FROM classes WHERE id = $id";
    }
    elseif($_GET['action'] == 'delete_student') {
      $query = "DELETE FROM students WHERE id = $id";
    }

    // ... Execute the query ...
}

1. SourceCodester Simple Student Attendance System 1.
2. CVE-2024-1923 original reference
3. VDB-254858 vulnerability details

Mitigation Suggestions

To mitigate the risk posed by this vulnerability, users of SourceCodester Simple Student Attendance System 1. should update their installations to the latest version of the software. Additionally, developers should consider implementing parameterized SQL queries or prepared statements to ensure proper validation and sanitization of user inputs.

Conclusion

CVE-2024-1923 is a critical vulnerability that affects the SourceCodester Simple Student Attendance System version 1.. It can be exploited remotely via an SQL injection attack that might compromise users' data. Users are strongly recommended to update their software and implement secure coding practices to mitigate the risk of falling victim to this exploit.

Timeline

Published on: 02/27/2024 16:15:46 UTC
Last modified on: 03/03/2024 15:15:07 UTC