SQL Injection Vulnerability in Code-Projects Job Recruitment Software
CVE-2024-12939

5.3MEDIUM

Key Information:

Vendor
Code-projects
Status
Job Recruitment
Vendor
CVE Published:
26 December 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A security flaw has been identified in the Code-Projects Job Recruitment software version 1.0 that allows an SQL injection attack through the 'add_edu' function located in the file /_parse/_all_edits.php. This vulnerability occurs due to improper handling of the 'degree' argument, which can be manipulated by an attacker to execute unauthorized SQL commands. The exploitation of this vulnerability can be conducted remotely, putting systems at risk. Additionally, other parameters may also be susceptible to similar SQL injection attacks, raising concerns over the potential for data breaches and unauthorized access to sensitive information. It is crucial for users to review their installations and implement necessary patches or mitigations.

Affected Version(s)

Job Recruitment 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-12939 - Proof of Concept

References

https://vuldb.com/?id.289295
vdb-entrytechnical-description
https://vuldb.com/?ctiid.289295
signaturepermissions-required
https://vuldb.com/?submit.467816
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Hl0kk (VulDB User)
.
CVE-2024-12939 : SQL Injection Vulnerability in Code-Projects Job Recruitment Software | SecurityVulnerability.io