CVE-2024-37857

Vulnerability

SQL injection vulnerability exists in Lost and Found Information System 1.0, specifically in the /php-lfis/admin/categories/view_category.php script. The id parameter is not sanitized before being used in a SQL query. This allows an unauthenticated or authenticated remote attacker to inject arbitrary SQL commands. The application is a PHP-based web application for managing lost and found items, and version 1.0 is affected as described in the CVE [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint with a malicious SQL payload in the id parameter. No special privileges are required to reach the endpoint; the attacker only needs network access to the web application. The injection occurs in the view_category.php script, likely while processing a GET or POST request. The attacker can manipulate the SQL query to bypass authentication or modify database contents.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL statements on the backend database. This can lead to privilege escalation, enabling the attacker to gain administrative access to the Lost and Found Information System. The attacker could also read, modify, or delete sensitive data stored in the database, potentially compromising the confidentiality, integrity, and availability of the application.

Mitigation

As of the publication date (2024-07-29), no official patch or updated version has been released by the vendor. Users should apply input validation and parameterized queries to sanitize the id parameter. If the application is no longer maintained, consider replacing it with a secure alternative or isolating it from untrusted networks. The vulnerability is not listed on the CISA KEV catalog as of this writing.