CVE-2024-25302
Description
SQL injection vulnerability in Sourcecodester Event Student Attendance System 1.0 allows attackers to extract database data via the 'student' parameter in delete-student.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in Sourcecodester Event Student Attendance System 1.0 allows attackers to extract database data via the 'student' parameter in delete-student.php.
Vulnerability
SQL injection exists in the delete-student.php endpoint of Sourcecodester Event Student Attendance System version 1.0 [1]. The student GET parameter is directly concatenated into an SQL query without proper sanitization or parameterization, allowing an attacker to inject arbitrary SQL commands.
Exploitation
An attacker can exploit this vulnerability by sending a crafted GET request to http://localhost/event-student-attendance/endpoint/delete-student.php?student=3 with malicious SQL payload in the student parameter [1]. No authentication is required if the endpoint is publicly accessible. The reference demonstrates using sqlmap with the -p student parameter to perform boolean-based blind injection, extracting database contents.
Impact
Successful exploitation allows the attacker to manipulate the database, leading to unauthorized access, data exfiltration, modification, or deletion. According to the advisory, this can "compromise the application, access or modify data, or exploit the latest vulnerabilities in the underlying database" [1].
Mitigation
As of the publication date, no official fix has been released for version 1.0 [1]. Users should apply input validation, use parameterized queries, and restrict access to the vulnerable endpoint until a patch is available.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sourcecodester/Event Student Attendance Systemdescription
- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the 'student' parameter allows SQL injection."
Attack vector
An attacker sends a crafted GET request to `delete-student.php` with a malicious `student` parameter, such as `http://localhost/event-student-attendance/endpoint/delete-student.php?student=3` [ref_id=1]. The application does not validate or sanitize this input, allowing SQL metacharacters to be injected. The researcher demonstrated exploitation using sqlmap with the `--risk 3 --level 5` flags against a MySQL backend, confirming boolean-based blind SQL injection [ref_id=1]. No authentication is required to reach the endpoint, and the attack can be performed remotely over HTTP.
Affected code
The vulnerable endpoint is `/event-student-attendance/endpoint/delete-student.php`, which accepts the `student` parameter via a GET request [ref_id=1]. The researcher identifies that the `student` parameter is directly interpolated into a SQL query without sanitization or parameterization [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a fix or remediation from the vendor [ref_id=1]. To close this vulnerability, the application should use prepared statements or parameterized queries when constructing SQL statements that include the `student` parameter, and input validation should be applied to ensure the parameter is a numeric value if that is the expected type.
Preconditions
- networkThe attacker must be able to send HTTP GET requests to the vulnerable endpoint.
- configThe application must be running with a MySQL database backend.
- authNo authentication is required to access the delete-student.php endpoint.
- inputThe 'student' parameter must be accepted and processed without sanitization.
Reproduction
1. Navigate to `http://localhost/event-student-attendance`, select any student, and press the delete-student button. 2. Capture the resulting GET request (e.g., `GET /event-student-attendance/endpoint/delete-student.php?student=3`) using Burp Suite and save it to an `r.txt` file. 3. Run sqlmap: `python sqlmap.py -r r.txt -p student --risk 3 --level 5 --dbms mysql --proxy="http://127.0.0.1:8080" --batch --current-db` [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.