CVE-2024-10423 Overview
CVE-2024-10423 is a SQL injection vulnerability in Project Worlds Student Project Allocation System 1.0. The flaw resides in the Project Selection Page component, specifically in /student/project_selection/project_selection.php. Attackers can manipulate the project_id parameter to inject arbitrary SQL statements into the backing database query. The vulnerability requires low privileges and can be exploited remotely without user interaction. Public disclosure of the exploit means unauthenticated and authenticated attackers alike may attempt it against exposed installations. The weakness is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Remote attackers with low privileges can read, modify, or delete arbitrary records in the Student Project Allocation System database by tampering with the project_id parameter.
Affected Products
- Project Worlds Student Project Allocation System 1.0
- Component: Project Selection Page (/student/project_selection/project_selection.php)
- Vulnerable parameter: project_id
Discovery Timeline
- 2024-10-27 - CVE-2024-10423 published to NVD
- 2024-10-29 - Last updated in NVD database
Technical Details for CVE-2024-10423
Vulnerability Analysis
The Student Project Allocation System exposes a project selection workflow that consumes the project_id request parameter and concatenates it directly into a SQL statement. Because the application does not enforce parameterized queries or input sanitization, an attacker can append SQL syntax to the parameter value. The injected payload executes within the application's database context, granting access to records the student-level account would otherwise be unable to read.
The vulnerability is reachable over the network using standard HTTP requests. According to the disclosure on VulDB #281964, only a low-privileged authenticated session is required, which is trivial to obtain on a system designed for student self-registration. EPSS data places the probability of exploitation at 0.096%, but a public proof of concept has been released.
Root Cause
The root cause is improper neutralization of user-controlled input before its use in a SQL statement [CWE-89]. The project_id value is interpolated into the query string without prepared statements, type casting, or allow-list validation. This pattern is common in legacy PHP applications that rely on direct string concatenation with mysqli_query or similar APIs.
Attack Vector
An attacker authenticates to the application as a student and issues a crafted request to the project selection endpoint. The project_id parameter is replaced with a SQL payload such as a UNION SELECT clause or a boolean-based blind injection sequence. The backend executes the modified query, returning database content or altering records based on the injected logic. A public proof of concept is hosted on the jadu101 CVE GitHub repository.
// No verified exploit code is reproduced here.
// Refer to the linked GitHub PoC and VulDB entry for technical details.
Detection Methods for CVE-2024-10423
Indicators of Compromise
- HTTP requests to /student/project_selection/project_selection.php containing SQL keywords such as UNION, SELECT, SLEEP, --, or ' in the project_id parameter.
- Database error messages referencing project_id in web server or PHP error logs.
- Unusually long response times on the project selection endpoint, indicating time-based blind SQL injection.
- Unexpected outbound queries or schema enumeration activity from the application's database account.
Detection Strategies
- Deploy a web application firewall (WAF) rule that inspects the project_id parameter for SQL metacharacters and known injection signatures.
- Enable MySQL general query logging temporarily to identify malformed queries originating from project_selection.php.
- Correlate authentication events with anomalous request patterns to the project selection endpoint to surface low-and-slow injection attempts.
Monitoring Recommendations
- Alert on HTTP 500 responses from /student/project_selection/project_selection.php, which often accompany failed injection attempts.
- Monitor for repeated requests from a single session that vary only in the project_id value.
- Track database account activity for queries touching tables outside the project allocation schema.
How to Mitigate CVE-2024-10423
Immediate Actions Required
- Restrict access to the Student Project Allocation System to trusted networks until a fix is applied.
- Place the application behind a WAF with SQL injection signatures enabled and tuned for the project_id parameter.
- Audit the database account used by the application and revoke privileges beyond the minimum required for normal operation.
- Review web server and database logs for prior exploitation attempts referencing project_selection.php.
Patch Information
No vendor advisory or official patch is referenced in the NVD entry for CVE-2024-10423 at this time. Operators should monitor the Project Worlds website and the VulDB entry for updates. In the absence of a vendor fix, modify project_selection.php to use prepared statements with bound parameters and cast project_id to an integer before query construction.
Workarounds
- Replace the vulnerable query with a prepared statement using mysqli_prepare or PDO with bound parameters.
- Enforce server-side integer validation on project_id before the value reaches the database layer.
- Disable detailed PHP and MySQL error reporting in production to reduce information leakage that aids exploitation.
# Example: integer cast and prepared statement in PHP
# Replace direct concatenation with:
# $project_id = (int) $_GET['project_id'];
# $stmt = $mysqli->prepare("SELECT * FROM projects WHERE project_id = ?");
# $stmt->bind_param("i", $project_id);
# $stmt->execute();
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
