CVE-2024-10350 Overview
CVE-2024-10350 is a SQL injection vulnerability in code-projects Hospital Management System 1.0. The flaw resides in the /admin/add-doctor.php script, where the docname parameter is incorporated into a database query without proper sanitization. An authenticated attacker with administrative privileges can manipulate the parameter to inject arbitrary SQL statements. The attack is exploitable remotely over the network, and a public disclosure has been made. The vulnerability is classified under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Successful exploitation allows attackers to read, modify, or destroy patient and administrative records stored in the hospital management database.
Affected Products
- Fabian Hospital Management System 1.0
- code-projects Hospital Management System (/admin/add-doctor.php endpoint)
- Deployments referencing CPE cpe:2.3:a:fabian:hospital_management_system:1.0
Discovery Timeline
- 2024-10-24 - CVE-2024-10350 published to the National Vulnerability Database
- 2025-10-23 - Last updated in NVD database
Technical Details for CVE-2024-10350
Vulnerability Analysis
The vulnerability exists in the administrative doctor-creation workflow of the Hospital Management System. The add-doctor.php script accepts the docname HTTP parameter and concatenates it directly into a SQL statement executed against the backend database. Because the application does not use parameterized queries or input sanitization, the database engine treats attacker-supplied SQL syntax as part of the query.
An attacker with valid administrator credentials can submit a crafted docname value to extract sensitive data, bypass authentication routines, or modify records. The flaw maps to [CWE-89] and aligns with classic in-band SQL injection patterns observed in PHP applications using mysqli_query or mysql_query calls.
Exploitation requires network access to the administrative interface and authenticated session privileges. The exploit details have been publicly disclosed through the GitHub CVE Issue Tracker and VulDB entry #281698.
Root Cause
The root cause is improper neutralization of special elements in SQL syntax. The add-doctor.php script trusts the docname POST or GET parameter and inlines it into an INSERT statement without using prepared statements, bound parameters, or escaping functions such as mysqli_real_escape_string.
Attack Vector
An authenticated administrator submits a request to /admin/add-doctor.php containing SQL metacharacters in the docname field. The injected payload terminates the original string literal and appends additional SQL clauses such as UNION SELECT statements or boolean conditions. The database executes the modified query, returning attacker-controlled output or performing unauthorized writes.
No verified exploit code has been published in a reputable repository. Refer to the VulDB advisory for additional technical context.
Detection Methods for CVE-2024-10350
Indicators of Compromise
- HTTP POST or GET requests to /admin/add-doctor.php containing SQL metacharacters such as single quotes, UNION, SELECT, --, or /* in the docname parameter.
- Unexpected INSERT, UPDATE, or SELECT statements in MySQL or MariaDB query logs originating from the web application user.
- New or modified administrator accounts in the doctor table that were not created through normal workflows.
Detection Strategies
- Enable database query logging and alert on syntactically anomalous statements referencing the doctor table or containing tautology patterns such as OR 1=1.
- Deploy a Web Application Firewall (WAF) rule set, such as OWASP CRS, to flag SQL injection signatures targeting /admin/*.php endpoints.
- Correlate authentication events with administrative form submissions to identify session abuse or credential compromise.
Monitoring Recommendations
- Forward web server access logs and database audit logs to a centralized analytics platform for retention and correlation.
- Baseline normal administrator activity and alert on bursts of write operations or large result sets returned from the doctor management endpoints.
- Review error responses from add-doctor.php for verbose SQL errors that may indicate probing.
How to Mitigate CVE-2024-10350
Immediate Actions Required
- Restrict network access to the /admin/ directory using IP allowlists, VPN gating, or reverse proxy authentication.
- Rotate administrator credentials and audit recent activity on the add-doctor.php endpoint.
- Deploy WAF rules that block SQL injection payloads targeting the docname parameter until a patched build is available.
Patch Information
No official vendor patch has been published for Fabian Hospital Management System 1.0 at the time of disclosure. Operators should monitor the code-projects resource hub and the GitHub CVE Issue Tracker for updates. In the absence of a vendor fix, application maintainers should refactor add-doctor.php to use parameterized queries via PDO::prepare or mysqli_prepare.
Workarounds
- Rewrite the affected query to use prepared statements with bound parameters, eliminating string concatenation of user input.
- Apply server-side input validation that restricts docname to an allowlisted character set such as alphabetic characters, spaces, and limited punctuation.
- Run the database service account with least-privilege permissions, preventing destructive operations such as DROP or cross-database reads.
# Example WAF rule (ModSecurity) to block SQLi patterns on the affected endpoint
SecRule REQUEST_URI "@beginsWith /admin/add-doctor.php" \
"phase:2,deny,status:403,id:1002024103500,\
msg:'Block SQLi attempt on add-doctor.php docname parameter',\
chain"
SecRule ARGS:docname "@detectSQLi" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
