SQL Injection Vulnerability in Daily Expenses Management System by PHP Gurukul
CVE-2024-29390

7.3HIGH

Key Information:

Vendor: PHP Gurukul
Status: Daily Expenses Management System
Vendor: CVE Published:; 20 June 2024

Summary

The Daily Expenses Management System version 1.0, developed by PHP Gurukul, is susceptible to a time-based blind SQL injection on the 'add-expense.php' page. An attacker can exploit this vulnerability by manipulating the 'item' parameter in a POST request, allowing them to execute arbitrary SQL commands on the backend database. By injecting specifically crafted SQL queries that induce time delays in database operations, attackers can confirm the presence of this vulnerability based on the observable lag in server response times.

References

https://github.com/CyberSentryX/CVE_Hunting/blob/main/CVE...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 20, 2024
Vulnerability Reserved
Mar 19, 2024