CVE-2024-10424 Overview
CVE-2024-10424 is a SQL injection vulnerability in Projectworlds Student Project Allocation System 1.0. The flaw resides in the /student/project_selection/remove_project.php script within the Project Selection Page component. Attackers can manipulate the no parameter to inject arbitrary SQL into backend database queries. The vulnerability is exploitable remotely over the network and requires only low-privilege authentication. The exploit has been publicly disclosed, increasing the likelihood of opportunistic abuse against exposed deployments. The weakness is tracked under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated remote attackers can inject arbitrary SQL via the no parameter in remove_project.php, exposing or modifying database contents in the Student Project Allocation System.
Affected Products
- Projectworlds Student Project Allocation System 1.0
- Component: Project Selection Page (/student/project_selection/remove_project.php)
- Vulnerable parameter: no
Discovery Timeline
- 2024-10-27 - CVE-2024-10424 published to NVD
- 2024-10-29 - Last updated in NVD database
Technical Details for CVE-2024-10424
Vulnerability Analysis
The vulnerability is a classic SQL injection in a PHP web application. The remove_project.php endpoint accepts a user-controlled no parameter and concatenates it directly into a SQL statement without parameterization or sanitization. An attacker submits crafted input through the HTTP request, and the backend MySQL database executes the injected SQL clauses. The flaw maps to [CWE-89] and stems from missing prepared statements in the project removal workflow. The EPSS data indicates a low probability of active exploitation, but public disclosure of proof-of-concept material lowers the bar for attackers. Exploitation requires a valid student-level session, which limits but does not eliminate exposure on internet-facing deployments.
Root Cause
The root cause is direct string concatenation of the no parameter into a SQL DELETE or SELECT statement inside remove_project.php. The application does not validate the parameter as an integer and does not use parameterized queries or stored procedures. Any authenticated student account becomes an injection vector.
Attack Vector
The attack vector is network-based and requires low privileges with no user interaction. An attacker authenticates to the application, then issues a request to /student/project_selection/remove_project.php with a malicious no value containing SQL syntax. The injected payload alters query logic to extract database records, modify data, or chain further attacks. See the GitHub PoC Repository for technical details.
No verified exploit code is reproduced here. Refer to the VulDB entry #281965 for additional analysis of the injection mechanics.
Detection Methods for CVE-2024-10424
Indicators of Compromise
- HTTP requests to /student/project_selection/remove_project.php containing SQL meta-characters such as ', ", --, UNION, SELECT, or SLEEP in the no parameter.
- Web server logs showing repeated 200/500 responses to remove_project.php from a single session within a short timeframe.
- Database errors or unusual query latency originating from the project allocation database.
Detection Strategies
- Deploy web application firewall (WAF) rules that flag SQL keywords and tautologies in the no parameter of remove_project.php.
- Inspect MySQL general or slow query logs for malformed DELETE or SELECT statements referencing the projects table.
- Correlate authenticated student sessions with anomalous request volumes against the project selection endpoints.
Monitoring Recommendations
- Forward web server access logs and database audit logs to a centralized SIEM for correlation and retention.
- Alert on SQL error strings such as You have an error in your SQL syntax returned to client browsers.
- Monitor outbound traffic from the application host for data exfiltration patterns following suspicious requests.
How to Mitigate CVE-2024-10424
Immediate Actions Required
- Restrict access to the Student Project Allocation System to trusted networks until a fix is applied.
- Revoke and rotate database credentials used by the web application if compromise is suspected.
- Audit existing student accounts and disable inactive or untrusted users that could leverage the vulnerability.
Patch Information
No vendor advisory or official patch from Projectworlds has been published for CVE-2024-10424 at the time of writing. Operators must apply source-level fixes by replacing concatenated SQL with parameterized queries using PDO or mysqli prepared statements, and by casting the no parameter to an integer before any database operation.
Workarounds
- Implement input validation in remove_project.php to enforce that no is a positive integer before passing it to the database layer.
- Deploy a WAF signature blocking SQL meta-characters on requests to /student/project_selection/remove_project.php.
- Apply least-privilege database accounts so the web application user cannot execute DROP, ALTER, or cross-database queries.
- If patching is not feasible, take the affected endpoint offline until remediation is complete.
# Example WAF rule (ModSecurity) blocking SQLi patterns on the vulnerable endpoint
SecRule REQUEST_URI "@contains /student/project_selection/remove_project.php" \
"chain,deny,status:403,id:1024100424,msg:'CVE-2024-10424 SQLi attempt'"
SecRule ARGS:no "@rx (?i)(union|select|sleep|--|'|\")" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
