CVE-2024-1923 Overview
CVE-2024-1923 is a critical SQL Injection vulnerability discovered in SourceCodester Simple Student Attendance System version 1.0. The vulnerability exists in the delete_class and delete_student functions within the /ajax-api.php component, specifically on the List of Classes Page. By manipulating the id parameter with malicious SQL syntax, an attacker can inject arbitrary SQL commands that are executed by the backend database.
Critical Impact
This SQL Injection vulnerability allows unauthenticated remote attackers to read, modify, or delete data from the database, potentially compromising all student attendance records, user credentials, and sensitive institutional data.
Affected Products
- SourceCodester Simple Student Attendance System 1.0
- oretnom23 simple_student_attendance_system 1.0
Discovery Timeline
- 2024-02-27 - CVE-2024-1923 published to NVD
- 2024-12-06 - Last updated in NVD database
Technical Details for CVE-2024-1923
Vulnerability Analysis
This SQL Injection vulnerability affects the AJAX API endpoint responsible for handling class and student deletion operations. The application fails to properly sanitize user-supplied input in the id parameter before incorporating it into SQL queries. When a user submits a request to delete a class or student record, the id parameter value is directly concatenated into the SQL statement without parameterization or proper escaping.
The vulnerable endpoint /ajax-api.php processes actions such as delete_class and delete_student, both of which accept an id parameter. Because this input is not validated or sanitized, an attacker can craft malicious payloads that alter the intended SQL query structure. The exploit has been publicly disclosed, increasing the risk of exploitation in the wild.
Root Cause
The root cause of this vulnerability is improper input validation and the use of dynamic SQL query construction without parameterized queries or prepared statements. The PHP application directly concatenates user-controlled input from the id parameter into SQL queries, violating secure coding practices for database interactions. This design flaw is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Attack Vector
The attack can be launched remotely over the network without requiring any authentication or user interaction. An attacker targets the /ajax-api.php endpoint with a crafted HTTP request containing a malicious id parameter value.
The documented exploit payload uses the input 1337'+or+1=1;--+ which demonstrates a classic SQL Injection technique. The single quote breaks out of the expected string context, the or 1=1 condition creates a tautology that modifies the query logic, and the --+ comments out any remaining SQL code. This allows the attacker to bypass intended query restrictions and potentially extract or manipulate database contents.
For technical details on the exploitation methodology, refer to the GitHub PoC Repository and VulDB #254858.
Detection Methods for CVE-2024-1923
Indicators of Compromise
- Anomalous HTTP requests to /ajax-api.php containing SQL syntax characters such as single quotes, semicolons, or comment markers (--)
- Database logs showing unusual query patterns, failed queries, or queries returning unexpectedly large result sets
- Web server access logs with encoded SQL injection payloads in the id parameter (e.g., %27, %2B, %3B)
- Unexpected modifications or deletions in the student attendance database tables
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns in request parameters
- Implement database activity monitoring to alert on suspicious query patterns or unauthorized data access
- Configure intrusion detection systems (IDS) to identify SQL injection attack signatures targeting PHP applications
- Enable detailed logging on the web server and database to capture request parameters and query execution
Monitoring Recommendations
- Monitor /ajax-api.php endpoint for requests with abnormal id parameter values or high request volumes
- Set up alerts for database authentication failures or privilege escalation attempts
- Review application logs regularly for error messages indicating SQL syntax errors or query failures
- Track changes to critical database tables containing student and class records
How to Mitigate CVE-2024-1923
Immediate Actions Required
- Immediately restrict or disable access to the vulnerable Simple Student Attendance System if it is exposed to untrusted networks
- Implement network-level access controls to limit access to the application only from trusted IP addresses
- Review database logs for evidence of exploitation and assess potential data compromise
- Consider taking the application offline until a secure version is available or the vulnerability is patched
Patch Information
No official patch from the vendor (oretnom23/SourceCodester) has been documented in the available CVE data. Organizations using this application should contact the developer or seek community-provided fixes. Given the critical nature of this vulnerability and the public availability of the exploit, upgrading to a patched version (if available) or implementing manual code remediation is strongly recommended.
Workarounds
- Modify the source code to implement parameterized queries (prepared statements) for all database operations in /ajax-api.php
- Apply input validation to reject any id parameter values that do not conform to expected numeric formats
- Deploy a Web Application Firewall (WAF) in front of the application to filter malicious SQL injection payloads
- Restrict database user privileges to the minimum necessary permissions, limiting the impact of successful SQL injection attacks
# Example: Restrict access to the vulnerable endpoint via .htaccess
<Files "ajax-api.php">
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
