CVE-2024-58276

Vulnerability

Overview

Obi08/Enrollment System v1.0 contains a SQL injection vulnerability in the keyword parameter of /get_subject.php [1][3]. The application fails to properly sanitize user input before incorporating it into SQL queries, allowing an attacker to inject arbitrary SQL commands. This is classified as CWE-89 Improper Neutralization of Special Elements used in an SQL Command [3].

Exploitation

Details

The vulnerability is exploitable without authentication, requiring only network access to the web application [1]. An attacker can use UNION-based SQL injection to extract data from the users table, which stores usernames and passwords [1][3]. The exploit is publicly available on Exploit-DB, demonstrating the ease of exploitation [1].

Impact

Successful exploitation allows an unauthenticated attacker to retrieve sensitive credentials from the database [1][3]. With these credentials, an attacker could gain administrative access to the enrollment system, potentially compromising student and administrator accounts.

Mitigation

As of the publication date, no official patch has been released. The vendor's GitHub repository [2] provides the source code, and users are advised to implement input validation and parameterized queries to prevent SQL injection. Until a fix is applied, the system remains vulnerable to credential theft.