CVE-2024-10450 Overview
CVE-2024-10450 is a SQL injection vulnerability in SourceCodester Kortex Lite Advocate Office Management System 1.0. The flaw resides in the /kortex_lite/control/edit_profile.php endpoint, where the id POST parameter is concatenated into a database query without sanitization. Authenticated remote attackers can manipulate the id argument to inject arbitrary SQL statements. The exploit has been publicly disclosed and may be reused by opportunistic attackers. The vulnerability is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Remote attackers with low privileges can extract, modify, or delete records from the application database through the unsanitized id POST parameter in edit_profile.php.
Affected Products
- SourceCodester Kortex Lite Advocate Office Management System 1.0
- Mayurik Advocate Office Management System 1.0
- Component: POST Parameter Handler in /kortex_lite/control/edit_profile.php
Discovery Timeline
- 2024-10-28 - CVE-2024-10450 published to NVD
- 2024-11-22 - Last updated in NVD database
Technical Details for CVE-2024-10450
Vulnerability Analysis
The vulnerability is a classic SQL injection flaw [CWE-89] in the profile editing workflow. The edit_profile.php script in the /kortex_lite/control/ directory accepts an id value via POST and incorporates it directly into a SQL query string. Because no parameterized queries, prepared statements, or input validation routines are applied, attackers can break out of the intended query context.
Attackers with low-privilege authenticated access can submit crafted payloads to read arbitrary tables, including user credential stores. They can also chain UNION-based or boolean-based techniques to enumerate the database schema. The application runs on PHP with a MySQL backend, which exposes typical injection primitives such as UNION SELECT, SLEEP(), and INTO OUTFILE.
Root Cause
The root cause is the direct concatenation of the user-supplied id POST parameter into a SQL statement without sanitization or use of bound parameters. The application trusts client-submitted data and fails to enforce type checking or input validation before passing values to the database driver.
Attack Vector
Exploitation requires network access to the web application and a low-privilege account. The attacker submits a POST request to /kortex_lite/control/edit_profile.php with a malicious payload appended to the id parameter. Successful injection allows extraction of sensitive case files, client records, and administrative credentials managed by the office management system. Public disclosure on VulDB and GitHub increases the likelihood of automated scanning and exploitation. Refer to the GitHub CVE Project Documentation for the disclosed proof-of-concept details.
Detection Methods for CVE-2024-10450
Indicators of Compromise
- POST requests to /kortex_lite/control/edit_profile.php containing SQL meta-characters such as ', ", --, UNION, SELECT, or SLEEP( in the id parameter.
- Web server access logs showing repeated requests to edit_profile.php with abnormally long or encoded id values.
- Database error messages returned in HTTP responses referencing MySQL syntax errors.
- Outbound connections from the database host to unexpected destinations following profile edit activity.
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect POST bodies for SQL injection signatures targeting the id parameter.
- Enable MySQL general query logging temporarily to identify malformed or suspicious statements originating from edit_profile.php.
- Correlate authentication events with subsequent POST traffic to edit_profile.php to flag low-privilege accounts performing schema enumeration.
Monitoring Recommendations
- Alert on HTTP 500 responses from edit_profile.php, which often indicate failed injection attempts producing SQL syntax errors.
- Monitor for sudden spikes in database query volume or query execution time tied to the application service account.
- Track read access patterns against sensitive tables such as user, case, and credential stores.
How to Mitigate CVE-2024-10450
Immediate Actions Required
- Restrict network access to the Kortex Lite application to trusted users via VPN or IP allow-listing until a patch is available.
- Disable the edit_profile.php endpoint if it is not actively required by business workflows.
- Rotate database credentials and audit recent profile-edit activity for signs of injection attempts.
- Review database accounts used by the application and enforce least privilege on the schema.
Patch Information
No official vendor patch has been published for SourceCodester Kortex Lite Advocate Office Management System 1.0 at the time of this writing. Operators should monitor the SourceCodester Security Resources page for updates and consult the VulDB entry #282010 for tracking remediation status.
Workarounds
- Implement a reverse-proxy WAF rule that rejects POST requests to edit_profile.php when the id parameter contains non-numeric characters.
- Modify edit_profile.php to cast $_POST['id'] to an integer using intval() before query construction, as a temporary code-level mitigation.
- Replace string-concatenated SQL with PDO prepared statements and bound parameters across all control/ scripts.
- Run the MySQL service under a least-privileged account with SELECT and UPDATE limited to required tables only.
# Configuration example: ModSecurity rule to block non-numeric id values
SecRule REQUEST_URI "@endsWith /kortex_lite/control/edit_profile.php" \
"phase:2,chain,deny,status:403,id:1024100,msg:'CVE-2024-10450 SQLi attempt'"
SecRule ARGS:id "!@rx ^[0-9]+$" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
