SQL Injection Vulnerability in SourceCodester Online Courseware
CVE-2024-3416

9.8CRITICAL

Key Information:

Vendor
Sourcecodester
Status
Online Courseware
Vendor
CVE Published:
7 April 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A significant SQL injection vulnerability has been identified in SourceCodester Online Courseware version 1.0, specifically within the admin/editt.php file. The vulnerability arises from improper validation of the 'id' argument, enabling attackers to manipulate queries executed against the database. This flaw allows potential remote exploitation, where an attacker can issue unauthorized database commands. The implications of this vulnerability are severe, as it may lead to unauthorized access to sensitive data, data corruption, or even complete system compromise. It is crucial for users of this software to apply the recommended patches or mitigations promptly to safeguard against possible exploitation. For further details, refer to the comprehensive analysis available in the vulnerability database and advisories.

Affected Version(s)

Online Courseware 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-3416 - Proof of Concept

References

https://vuldb.com/?id.259588
vdb-entrytechnical-description
https://vuldb.com/?ctiid.259588
signaturepermissions-required
https://vuldb.com/?submit.311593
third-party-advisory

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

liuann (VulDB User)
.