CVE-2024-10022 Overview
CVE-2024-10022 is a SQL injection vulnerability in code-projects Pharmacy Management System 1.0. The flaw resides in /php/manage_supplier.php?action=search, where the text parameter is concatenated into a SQL query without proper sanitization. Authenticated remote attackers can manipulate the parameter to inject arbitrary SQL statements. The exploit has been publicly disclosed, increasing the likelihood of opportunistic abuse against exposed instances. The weakness is classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Remote attackers with low privileges can execute arbitrary SQL queries against the backend database, potentially exposing supplier records, patient data, and credentials stored by the application.
Affected Products
- code-projects Pharmacy Management System 1.0
- Deployments using the vulnerable manage_supplier.php endpoint
- PHP/MySQL stacks hosting the application without input filtering
Discovery Timeline
- 2024-10-16 - CVE-2024-10022 published to the National Vulnerability Database (NVD)
- 2024-10-21 - Last updated in NVD database
Technical Details for CVE-2024-10022
Vulnerability Analysis
The vulnerability exists in the supplier search functionality of the Pharmacy Management System. When a user submits a search query through manage_supplier.php with action=search, the text parameter flows directly into a SQL query string. The application does not use parameterized queries or sanitize the input. Attackers can append SQL operators, UNION clauses, or boolean-based payloads to alter query logic.
Exploitation requires only a low-privileged authenticated session and network reachability to the application. Successful injection allows attackers to read arbitrary database tables, modify supplier records, or enumerate the database schema. The exploit details have been disclosed publicly, lowering the barrier to weaponization.
Root Cause
The root cause is improper neutralization of user-supplied input in a dynamic SQL statement [CWE-89]. The text parameter is concatenated into the query without prepared statements or escaping. PHP's mysqli or PDO prepared statement APIs are not used in the affected code path.
Attack Vector
An attacker submits a crafted HTTP request to /php/manage_supplier.php?action=search containing SQL metacharacters in the text parameter. The injected payload modifies the executed query. Because the attack vector is network-based and authentication is low-complexity, exploitation can be automated against internet-exposed instances.
No verified proof-of-concept code is published in the NVD record. Technical details are referenced in the VulDB entry #280557 and a GitHub Gist by the reporter.
Detection Methods for CVE-2024-10022
Indicators of Compromise
- HTTP requests to /php/manage_supplier.php?action=search containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP(
- Web server access logs showing repeated requests with encoded payloads (%27, %20OR%20) targeting the text parameter
- Unexpected database errors or query timeouts originating from the supplier search endpoint
- Outbound database queries returning unusually large result sets from the supplier search workflow
Detection Strategies
- Deploy web application firewall (WAF) rules to flag SQL injection patterns against the manage_supplier.php path
- Enable MySQL general query logging and review queries originating from the supplier search function for anomalies
- Correlate authenticated session activity with high-volume search requests to identify automated probing
Monitoring Recommendations
- Monitor PHP error logs for mysqli or PDO exceptions tied to the supplier search endpoint
- Alert on HTTP 500 responses or unusually long response times for /php/manage_supplier.php
- Track failed and successful authentication events that precede bursts of search activity
How to Mitigate CVE-2024-10022
Immediate Actions Required
- Restrict network access to the Pharmacy Management System to trusted internal networks until a vendor fix is available
- Disable or remove the manage_supplier.php search functionality if it is not required
- Audit application accounts and rotate database credentials if compromise is suspected
- Review database logs for evidence of unauthorized queries against supplier or user tables
Patch Information
As of the last NVD update on 2024-10-21, no official vendor patch has been published by code-projects for CVE-2024-10022. Refer to the code-projects website for any forthcoming updates. Organizations should consider replacing the application or applying source-level fixes to use parameterized queries in manage_supplier.php.
Workarounds
- Modify the affected source code to use prepared statements with bound parameters via mysqli::prepare() or PDO::prepare()
- Apply server-side input validation to reject non-alphanumeric characters in the text parameter
- Deploy a WAF with SQL injection signatures in front of the application
- Run the application database account with least privilege, removing DROP, ALTER, and FILE permissions
# Example WAF rule (ModSecurity) to block SQL injection on the vulnerable endpoint
SecRule REQUEST_URI "@contains /php/manage_supplier.php" \
"chain,phase:2,deny,status:403,id:1000022,msg:'CVE-2024-10022 SQLi attempt'"
SecRule ARGS:text "@detectSQLi" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
