CVE-2024-10137 Overview
CVE-2024-10137 is a SQL injection vulnerability in code-projects Pharmacy Management System 1.0. The flaw resides in the /manage_medicine.php?action=delete endpoint, where the id parameter is passed unsanitized to a backend SQL query. Remote attackers with low-privileged access can manipulate the id argument to inject arbitrary SQL statements. The exploit has been publicly disclosed, increasing the likelihood of opportunistic attacks against exposed installations. The weakness is tracked under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated remote attackers can inject SQL through the id parameter to read, alter, or delete pharmacy records, including patient and medicine inventory data.
Affected Products
- code-projects Pharmacy Management System 1.0
- CPE: cpe:2.3:a:code-projects:pharmacy_management_system:1.0:*:*:*:*:*:*:*
- Vulnerable endpoint: /manage_medicine.php?action=delete
Discovery Timeline
- 2024-10-19 - CVE-2024-10137 published to NVD
- 2024-10-22 - Last updated in NVD database
Technical Details for CVE-2024-10137
Vulnerability Analysis
The vulnerability exists in the medicine management module of code-projects Pharmacy Management System 1.0. The manage_medicine.php script processes the action=delete request by concatenating the user-supplied id parameter directly into a SQL DELETE statement. No prepared statements, parameter binding, or input sanitization are applied before the query executes.
An attacker with valid low-privileged credentials can append SQL syntax such as boolean conditions, UNION SELECT clauses, or stacked queries to the id value. This grants the attacker the ability to extract database contents, manipulate inventory records, or remove arbitrary rows from connected tables. Public disclosure through VulDB and a proof-of-concept gist increases the operational risk for any internet-exposed instance.
Root Cause
The root cause is direct concatenation of unsanitized HTTP GET input into a SQL query string. The application trusts the id parameter and lacks both input validation and parameterized query construction. This matches [CWE-89] and reflects a common pattern in small PHP applications that bypass database abstraction layers.
Attack Vector
The attack is remote, network-accessible, and requires low-level authentication. An attacker sends a crafted HTTP GET request to /manage_medicine.php?action=delete&id=<payload>. Because the manipulation occurs in a routine delete handler, exploitation does not require user interaction or elevated privileges. A working proof-of-concept is referenced in the GitHub Gist PoC Script and indexed at VulDB #280925.
// Vulnerable pattern (illustrative, based on advisory description)
// GET /manage_medicine.php?action=delete&id=1 OR 1=1--
// The unsanitized `id` value is concatenated into a DELETE query,
// allowing the attacker to extend or alter the executed SQL statement.
Detection Methods for CVE-2024-10137
Indicators of Compromise
- HTTP GET requests to /manage_medicine.php?action=delete containing SQL meta-characters such as ', ", --, ;, UNION, or SLEEP(
- Unexpected DELETE or SELECT activity in the MySQL/MariaDB query log originating from the web application user
- Sudden disappearance of rows in the medicine table or related inventory tables
- Web server access logs showing repeated requests to manage_medicine.php from a single source with varying id values
Detection Strategies
- Deploy a web application firewall rule that inspects the id query parameter on manage_medicine.php for SQL syntax tokens
- Enable MySQL general or audit logging and alert on DELETE statements that reference more rows than a single primary key
- Correlate authenticated session activity with bulk database modifications to identify abuse of legitimate accounts
Monitoring Recommendations
- Forward Apache or Nginx access logs to a centralized log platform and search for SQL injection signatures targeting manage_medicine.php
- Baseline normal delete volume per authenticated user and alert on deviations
- Monitor outbound database errors returned in HTTP responses, which often indicate injection probing
How to Mitigate CVE-2024-10137
Immediate Actions Required
- Restrict access to the Pharmacy Management System to trusted networks or place it behind a VPN until a fix is applied
- Disable or remove the manage_medicine.php?action=delete endpoint if it is not required for current operations
- Rotate database credentials used by the application and audit recent DELETE activity in the medicine table
- Review web server logs for prior exploitation attempts referencing the vulnerable endpoint
Patch Information
No official vendor patch has been published by code-projects at the time of NVD entry. Refer to the Code Projects Resource Hub for any future updates. Administrators should apply source-level fixes by replacing concatenated SQL with prepared statements using PDO or mysqli parameter binding, and by enforcing strict integer validation on the id parameter.
Workarounds
- Insert server-side validation that casts the id parameter to an integer before any database operation
- Deploy a WAF signature blocking SQL meta-characters in query string parameters for manage_medicine.php
- Apply least-privilege database permissions so the application user cannot DROP tables or read sensitive schemas
- Place the application behind authenticated reverse-proxy access controls to limit exposure
# Example WAF/ModSecurity rule to block SQL meta-characters in the id parameter
SecRule ARGS:id "@rx [\'\"\;\-\-]|union|select|sleep|benchmark" \
"id:1001370,phase:2,deny,status:403,log,\
msg:'Possible SQLi attempt against manage_medicine.php (CVE-2024-10137)',\
t:lowercase"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
