CVE-2024-37858

Vulnerability

The Lost and Found Information System version 1.0, available from SourceCodester [1], contains a SQL injection vulnerability in the php-lfis/admin/categories/manage_category.php script. The id parameter is not properly sanitized, allowing an attacker to inject arbitrary SQL queries. This vulnerability is present in version 1.0 of the application.

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending a crafted HTTP request to the vulnerable endpoint with a malicious id parameter. The attacker does not need any special privileges or user interaction. The injection occurs in the context of the database query, enabling the attacker to manipulate the SQL statement.

Impact

Successful exploitation allows a remote attacker to escalate privileges, potentially gaining unauthorized access to administrative functions or sensitive data. The impact includes information disclosure, data manipulation, and potential full compromise of the application's database.

Mitigation

As of the publication date (2024-07-29), no official patch has been released by the vendor. Users should apply input validation and parameterized queries to mitigate the vulnerability. If the application is no longer maintained, consider migrating to a secure alternative.