CVE-2024-10418 Overview
CVE-2024-10418 is a SQL injection vulnerability in code-projects Blood Bank Management System 1.0. The flaw resides in the /file/infoAdd.php script, where the bg parameter is passed to a backend SQL query without proper sanitization. Authenticated remote attackers can manipulate this parameter to inject arbitrary SQL statements. The issue is classified under [CWE-89] Improper Neutralization of Special Elements used in an SQL Command. The exploit has been publicly disclosed, increasing the likelihood of opportunistic abuse against exposed installations.
Critical Impact
Successful exploitation enables attackers to read, modify, or destroy data stored in the Blood Bank Management System database, including donor records and authentication data.
Affected Products
- code-projects Blood Bank Management System 1.0
- Fabian Blood Bank Management System (fabian:blood_bank_management_system:1.0)
- Deployments hosting /file/infoAdd.php from this codebase
Discovery Timeline
- 2024-10-27 - CVE-2024-10418 published to NVD
- 2025-10-23 - Last updated in NVD database
Technical Details for CVE-2024-10418
Vulnerability Analysis
The vulnerability exists in the infoAdd.php endpoint of the Blood Bank Management System. The application accepts the bg HTTP parameter and concatenates its value directly into a SQL statement. Because no parameterized queries or input validation are applied, attacker-controlled input becomes part of the executed SQL syntax.
An attacker with low-privilege authenticated access can submit crafted values to manipulate the query logic. Typical impact includes extracting database contents, bypassing application checks, or modifying records. The attack requires only network access to the application and does not require user interaction.
Because the codebase is distributed as an open educational PHP project, multiple deployments share identical query patterns. Public disclosure of the exploit technique via a GitHub Gist proof-of-concept lowers the barrier to abuse.
Root Cause
The root cause is unsanitized user input flowing into a SQL query string. The bg parameter handler in infoAdd.php does not use prepared statements, parameter binding, or input filtering. This violates standard PHP database access guidance, which requires using PDO or MySQLi parameterized queries to separate code from data.
Attack Vector
The attack is launched remotely over HTTP or HTTPS against the vulnerable endpoint. An attacker authenticates to the application, then submits a POST or GET request to /file/infoAdd.php containing a SQL payload in the bg field. The injected fragment alters the query semantics on the backend MySQL or MariaDB instance.
No verified exploitation code is reproduced here. Refer to the VulDB entry #281959 for additional technical context on the disclosed payload.
Detection Methods for CVE-2024-10418
Indicators of Compromise
- HTTP requests to /file/infoAdd.php containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP( in the bg parameter
- Web server logs showing abnormally long bg values or encoded payloads (%27, %20OR%20)
- Unexpected database errors or stack traces returned in HTTP responses from infoAdd.php
- Anomalous queries against the blood bank database from the web application user, including INFORMATION_SCHEMA reads
Detection Strategies
- Deploy web application firewall rules that inspect the bg parameter on the infoAdd.php URI for SQL injection patterns
- Enable MySQL or MariaDB general query logging temporarily to identify malformed or unexpected statements originating from the application
- Correlate authentication events with subsequent requests to infoAdd.php to detect post-login probing
Monitoring Recommendations
- Alert on HTTP 500 responses from /file/infoAdd.php paired with SQL syntax error strings
- Monitor outbound database traffic for unusual record volumes that may indicate data exfiltration
- Track repeated requests with varying bg payloads from the same source IP, which suggests automated injection tooling
How to Mitigate CVE-2024-10418
Immediate Actions Required
- Restrict network exposure of the Blood Bank Management System to trusted networks or VPN access only
- Audit the infoAdd.php source and rewrite the bg parameter handling to use PDO prepared statements with bound parameters
- Rotate database credentials and review database accounts used by the application for excessive privileges
- Review web and database logs for prior exploitation attempts referencing the bg parameter
Patch Information
No official vendor patch is referenced in the NVD entry for CVE-2024-10418. The product is distributed through code-projects.org as an educational PHP application. Operators must apply source-level fixes manually or replace the affected component. Consult the VulDB advisory for tracking updates.
Workarounds
- Place the application behind a web application firewall with SQL injection signatures enabled for the bg parameter
- Apply database least-privilege so the application account cannot execute DROP, ALTER, or access INFORMATION_SCHEMA
- Disable or remove the /file/infoAdd.php endpoint if it is not required for production operations
- Implement server-side input validation that rejects non-alphanumeric values for the bg blood group field
# Example: minimal ModSecurity rule to block SQLi attempts on the bg parameter
SecRule REQUEST_URI "@contains /file/infoAdd.php" \
"phase:2,chain,deny,status:403,log,msg:'CVE-2024-10418 SQLi attempt on bg parameter'"
SecRule ARGS:bg "@rx (?i)(union(\s|/\*.*\*/)+select|sleep\s*\(|--|;|')" "t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
