Platform
php
Component
school-erp-pro-responsive
Opgelost in
1.0.1
CVE-2024-4824 is a critical SQL Injection vulnerability affecting School ERP Pro+Responsive versions 1.0 through 1.0. This flaw allows a remote attacker to inject malicious SQL code through the /SchoolERP/office_admin/ index, potentially compromising sensitive data. A patch, version 1.0.1, is now available to address this issue.
The SQL Injection vulnerability in School ERP Pro+Responsive poses a significant risk to data confidentiality and integrity. An attacker could leverage this flaw to extract sensitive information stored within the database, including student records, financial data, and administrative credentials. Successful exploitation could lead to unauthorized access, data breaches, and potential disruption of school operations. The ability to execute arbitrary SQL queries grants the attacker a high degree of control over the database, enabling them to modify or delete data as well. This vulnerability shares characteristics with other SQL injection attacks, where attackers manipulate database queries to gain unauthorized access.
CVE-2024-4824 was publicly disclosed on May 13, 2024. While no active exploitation campaigns have been confirmed at the time of writing, the critical CVSS score and the ease of exploitation suggest a high probability of exploitation. No KEV listing exists as of this date. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature.
Schools and educational institutions utilizing School ERP Pro+Responsive version 1.0 are particularly at risk. Organizations with limited security expertise or those relying on default configurations are also more vulnerable. Shared hosting environments where multiple users share the same server instance could experience broader impact if one user's installation is compromised.
• php: Examine web server access logs for suspicious requests targeting /SchoolERP/officeadmin/ with unusual parameters in groupsid, examname, classesid, esvoucherid, es_class.
grep -i 'office_admin/.*[\?\&]groups_id=[^a-z0-9]' /var/log/apache2/access.log• generic web: Use curl to test the /SchoolERP/office_admin/ endpoint with various SQL injection payloads in the parameters.
curl 'http://example.com/SchoolERP/office_admin/?groups_id=1' UNION SELECT 1,2,3 -- -ndisclosure
Exploit Status
EPSS
1.29% (80% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-4824 is to immediately upgrade School ERP Pro+Responsive to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and parameterized queries within the application code. Web Application Firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. Regularly review and update database access controls to limit the potential impact of a successful attack.
Actualizar School ERP Pro+Responsive a una versión parcheada que solucione la vulnerabilidad de inyección SQL. Contacte al proveedor AROX SOLUTION para obtener la actualización o aplicar las medidas de seguridad recomendadas. Como medida temporal, valide y limpie todas las entradas de usuario para prevenir la ejecución de código SQL malicioso.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-4824 is a critical vulnerability allowing attackers to inject malicious SQL code into School ERP Pro+Responsive versions 1.0–1.0, potentially extracting sensitive data.
If you are using School ERP Pro+Responsive version 1.0, you are vulnerable. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. If immediate upgrade is not possible, implement input validation and WAF rules as temporary measures.
While no active exploitation campaigns have been confirmed, the critical severity and ease of exploitation suggest a high likelihood of future attacks.
Refer to the vendor's official website or security advisory channels for the latest information and updates regarding CVE-2024-4824.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.