CVE-2024-25312

Vulnerability

The Simple School Management System version 1.0 from code-projects.org contains a SQL injection vulnerability in the sub_delete.php script. The id parameter is directly concatenated into an SQL query without sanitization, as demonstrated in the proof of concept [1]. The application is built with PHP and MySQL.

Exploitation

An attacker must first authenticate to the application, then navigate to the Subject page and click the delete subject button. The request to sub_delete.php?id=5 can be captured and replayed. Using a tool like sqlmap, the attacker can exploit the boolean-based blind SQL injection by sending crafted id parameter values [1]. No special privileges beyond a valid user session are required.

Impact

Successful exploitation allows an attacker to extract sensitive data from the database, including user credentials and other application data. The injection is boolean-based blind, enabling retrieval of arbitrary database contents [1]. This could lead to full compromise of the application and underlying data.

Mitigation

As of the publication date (2024-02-09), no official patch has been released. The vendor has not provided a fix. Users should consider upgrading to a patched version if available, or implement input validation and parameterized queries to prevent SQL injection. The software is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.