A new vulnerability, CVE-2024-24099, has been identified in the Code-projects Scholars Tracking System (STS) version 1.. This security flaw puts the systems using this software at risk of SQL Injection attacks when updating Employment Status Information. SQL Injection attacks are a top concern when it comes to web application security as they allow attackers to potentially tamper with or even delete database records, putting sensitive information at risk.

Affected Versions

The vulnerability affects Code-projects Scholars Tracking System version 1..

Vulnerability Details

The vulnerability resides in the 'Employment Status Information Update' functionality of the STS software. An attacker exploiting this vulnerability can submit malicious SQL statements that are executed by the STS database server, which can lead to unauthorized access, data manipulation, or even data deletion.

Here's an example of a vulnerable code snippet from the Scholars Tracking System v1.

$update_sql = "UPDATE employment_status SET employment_status_name='".$es_name."',employment_status_desc='".$es_desc."',employme_status_remarks='".$es_remarks."' WHERE employment_status_id=".$rID;
$result = mysql_query($update_sql) or die('Cannot update Employment Status. ' . mysql_error());

In the above code snippet, user input is concatenated directly into the SQL query without proper sanitization or validation, opening the door to SQL Injection attacks.

The following is a simple example of how an attacker could exploit this vulnerability

- The attacker can use an HTTP client like curl or a browser with developer tools to manipulate the HTTP request and inject an SQL query.
- The attacker can replace a benign value for the employment_status_name parameter with a malicious SQL query, for example: ' OR '1'='1.

- Code-projects Scholars Tracking System
- CVE-2024-24099 in the CVE database

Mitigation

To mitigate the CVE-2024-24099 vulnerability in Code-projects Scholars Tracking System 1., it is necessary to validate and sanitize user inputs before concatenating them into SQL queries. One of the best practices is to use parameterized queries or prepared statements, which helps to separate user data from SQL code.

Here's a code snippet that implements parameterized queries

$stmt = $conn->prepare("UPDATE employment_status SET employment_status_name=?, employment_status_desc=?, employme_status_remarks=? WHERE employment_status_id=?");
$stmt->bind_param("sssi", $es_name, $es_desc, $es_remarks, $rID);

// Execute the prepared statement
$stmt->execute();

Additionally, it is recommended to always keep the software up-to-date and follow the vendor's recommendations for securing the application environment.

Conclusion

The CVE-2024-24099 vulnerability in Code-projects Scholars Tracking System 1. poses a severe risk to organizations using this software as it allows attackers to conduct SQL Injection attacks under Employment Status Information Update functionality. By implementing secure coding practices such as parameterized queries and regular software updates, it is possible to mitigate this vulnerability and protect your systems.

Timeline

Published on: 02/27/2024 02:15:06 UTC
Last modified on: 02/27/2024 14:20:06 UTC