CVE-2024-4912: Campcodes Online Examination System SQLi

CVE-2024-4912 Overview

CVE-2024-4912 is a SQL injection vulnerability in Campcodes Online Examination System 1.0. The flaw resides in the addExamExe.php file, where the examTitle parameter is passed directly into a database query without proper sanitization [CWE-89]. Authenticated remote attackers can manipulate the parameter to inject arbitrary SQL statements. A public proof-of-concept has been disclosed, lowering the barrier to exploitation. The vulnerability is tracked as VulDB identifier VDB-264447 and carries an EPSS probability of 0.194%.

Critical Impact

Remote attackers with low-privileged access can inject SQL commands through the examTitle parameter, enabling unauthorized read and modification of examination database records.

Affected Products

• Campcodes Online Examination System 1.0
• Component: addExamExe.php
• Vulnerable parameter: examTitle

Discovery Timeline

• 2024-05-15 - CVE-2024-4912 published to NVD
• 2025-02-21 - Last updated in NVD database

Technical Details for CVE-2024-4912

Vulnerability Analysis

The vulnerability stems from unsafe handling of user-supplied input in the addExamExe.php script of Campcodes Online Examination System 1.0. The examTitle argument is concatenated into a SQL query without parameterization or input validation. This allows an attacker to break out of the intended query context and execute arbitrary SQL statements against the backend database.

Exploitation requires network access and low-privileged authentication to the application. The attack complexity is low, and no user interaction is required. A successful injection can return confidential exam data, modify exam records, or be chained with database functionality to enumerate the underlying schema.

The issue maps to CWE-89: Improper Neutralization of Special Elements used in an SQL Command. A public proof-of-concept demonstrating the injection has been published, increasing the likelihood of opportunistic abuse against exposed instances.

Root Cause

The root cause is the absence of prepared statements or input sanitization in the routine that processes new exam submissions. The application accepts the examTitle POST parameter and inserts the raw value into a dynamic SQL string. Without bound parameters or escaping, attacker-controlled SQL metacharacters such as single quotes, comments, and UNION clauses are interpreted as query syntax.

Attack Vector

An authenticated attacker submits a crafted HTTP request to the addExamExe.php endpoint with malicious SQL syntax embedded in the examTitle field. Because the request can be sent remotely over the network, any reachable instance of the application is exposed. Refer to the GitHub PoC Document for the disclosed payload and request structure.

Detection Methods for CVE-2024-4912

Indicators of Compromise

• HTTP POST requests to addExamExe.php containing SQL metacharacters such as ', --, UNION, or SLEEP( in the examTitle parameter.
• Database error messages returned in HTTP responses referencing MySQL syntax errors near the examTitle value.
• Unexpected new or modified rows in the exam table tied to administrative accounts during off-hours.

Detection Strategies

• Inspect web server access logs for anomalous payload patterns or unusually long values submitted to addExamExe.php.
• Deploy a web application firewall (WAF) rule set with SQL injection signatures focused on the affected endpoint and parameter.
• Enable database query logging and alert on tautologies, UNION SELECT statements, or time-based delay functions originating from the application service account.

Monitoring Recommendations

• Continuously monitor authenticated application sessions that generate elevated error rates from the database backend.
• Correlate web request telemetry with database audit logs to identify injection attempts that bypass front-end validation.
• Track outbound connections from the database host to detect data exfiltration following successful injection.

How to Mitigate CVE-2024-4912

Immediate Actions Required

• Restrict network exposure of Campcodes Online Examination System 1.0 to trusted networks or VPN-only access until a fix is available.
• Disable or limit account creation to reduce the number of low-privileged users able to reach addExamExe.php.
• Deploy WAF rules that block SQL injection payloads targeting the examTitle parameter.

Patch Information

No official vendor patch has been published for Campcodes Online Examination System 1.0 at the time of NVD publication. Organizations should consult the VulDB advisory for updates and contact the vendor directly for remediation status. If no patch is forthcoming, consider migrating to a maintained alternative.

Workarounds

• Modify addExamExe.php to use parameterized queries or prepared statements with bound parameters instead of string concatenation.
• Apply server-side input validation that rejects SQL metacharacters in the examTitle field and enforces a strict character allowlist.
• Run the application database account with the least privileges necessary, removing DROP, ALTER, and FILE permissions.
• Place the application behind a reverse proxy with request filtering and rate limiting on authenticated endpoints.

# Example ModSecurity rule to block SQLi payloads on the vulnerable endpoint
SecRule REQUEST_URI "@endsWith /addExamExe.php" \
    "id:1004912,phase:2,deny,status:403,\
     chain,msg:'CVE-2024-4912 SQLi attempt on examTitle'"
    SecRule ARGS:examTitle "@detectSQLi" \
        "t:none,t:urlDecodeUni,t:lowercase"