CVE-2024-10735 Overview
CVE-2024-10735 is a SQL injection vulnerability in Project Worlds Life Insurance Management System 1.0. The flaw exists in /editNominee.php, where the nominee_id parameter is passed directly to a database query without proper sanitization. Remote attackers can manipulate this parameter to inject arbitrary SQL statements against the backend database.
The exploit details have been publicly disclosed, increasing the likelihood of opportunistic attacks against exposed deployments. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated remote attackers can read, modify, or delete database records containing sensitive policyholder and nominee data through SQL injection in the nominee_id parameter.
Affected Products
- Project Worlds Life Insurance Management System 1.0
- Component: /editNominee.php
- Vulnerable parameter: nominee_id
Discovery Timeline
- 2024-11-03 - CVE-2024-10735 published to NVD
- 2024-11-05 - Last updated in NVD database
Technical Details for CVE-2024-10735
Vulnerability Analysis
The vulnerability resides in the editNominee.php script of the Life Insurance Management System. The application accepts a nominee_id value from a remote request and concatenates it into a SQL query executed against the backend database. Because the value is not parameterized or escaped, attackers can break out of the intended query context.
An attacker with low-privileged authenticated access can issue crafted requests over the network. Successful exploitation can expose nominee records, policyholder personal data, premium history, and administrative account credentials stored in the database. Attackers can also modify or delete records, undermining data integrity within the insurance management workflow.
Root Cause
The root cause is improper neutralization of user-supplied input within a SQL statement [CWE-89]. The nominee_id parameter is interpolated directly into the query string rather than being bound through prepared statements. No type validation, allow-listing, or escaping is performed before the value reaches the database driver.
Attack Vector
The attack is conducted remotely over the network against the /editNominee.php endpoint. The attacker submits a request with a malicious nominee_id payload containing SQL operators such as UNION SELECT, boolean conditions, or stacked queries. Public proof-of-concept material is referenced through the GitHub SQL Injection Report and VulDB entry #282904.
No verified code examples are available. The exploitation mechanism follows a standard error-based or union-based SQL injection pattern against the unsanitized nominee_id argument.
Detection Methods for CVE-2024-10735
Indicators of Compromise
- HTTP requests to /editNominee.php containing SQL meta-characters such as single quotes, --, UNION, SELECT, OR 1=1, or ; in the nominee_id parameter.
- Unexpected database error responses returned to clients accessing editNominee.php.
- Web server access logs showing repeated requests to editNominee.php from a single source with varying nominee_id values.
Detection Strategies
- Inspect web server and application logs for nominee_id values that are non-numeric or contain encoded SQL syntax such as %27, %20OR%20, or %20UNION%20.
- Deploy web application firewall (WAF) signatures targeting SQL injection patterns on the editNominee.php endpoint.
- Correlate database query errors with application access logs to identify reconnaissance attempts.
Monitoring Recommendations
- Enable database query logging and alert on syntactically anomalous queries originating from the Life Insurance Management System service account.
- Monitor for sudden spikes in outbound data volume from the database host, which may indicate exfiltration via injection.
- Track authentication events and rate-limit repeated failed access attempts to the application.
How to Mitigate CVE-2024-10735
Immediate Actions Required
- Restrict network access to the Life Insurance Management System to trusted users until a fix is applied, ideally placing it behind a VPN or IP allow-list.
- Deploy WAF rules to block SQL injection payloads targeting the nominee_id parameter of /editNominee.php.
- Audit the application database for unauthorized record changes, new administrative accounts, or signs of data exfiltration.
Patch Information
No vendor patch is referenced in the available advisories. Project Worlds has not published a fixed version as of the last NVD update on 2024-11-05. Organizations relying on this software should evaluate alternative solutions or implement source-code fixes by replacing dynamic query construction with parameterized statements (PDO prepared statements or mysqli_prepare).
Workarounds
- Modify editNominee.php to validate that nominee_id is a strict integer using intval() or filter_var($id, FILTER_VALIDATE_INT) before use in queries.
- Refactor database access to use prepared statements with bound parameters, eliminating string concatenation in SQL queries.
- Apply the principle of least privilege to the database account used by the application, removing DROP, ALTER, and administrative permissions.
- Disable verbose database error messages in production to prevent information leakage that aids injection attacks.
# Example PHP remediation: parameterized query with PDO
$stmt = $pdo->prepare('SELECT * FROM nominees WHERE nominee_id = :id');
$stmt->bindValue(':id', (int)$_GET['nominee_id'], PDO::PARAM_INT);
$stmt->execute();
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
