CVE-2024-4914 Overview
CVE-2024-4914 is a SQL injection vulnerability in Campcodes Online Examination System 1.0. The flaw affects the ranking-exam.php file, where the exam_id parameter is not properly sanitized before being used in a database query. Remote attackers with low-level privileges can manipulate this parameter to inject arbitrary SQL statements. The vulnerability is tracked as VulDB identifier VDB-264449 and maps to [CWE-89]. A proof-of-concept exploit has been publicly disclosed, increasing the risk to exposed instances.
Critical Impact
Authenticated attackers can extract, modify, or delete database contents through the vulnerable exam_id parameter, compromising exam data and user records.
Affected Products
- Campcodes Online Examination System 1.0
- ranking-exam.php endpoint
- Deployments exposing the application to untrusted networks
Discovery Timeline
- 2024-05-15 - CVE-2024-4914 published to NVD
- 2025-02-21 - Last updated in NVD database
Technical Details for CVE-2024-4914
Vulnerability Analysis
The vulnerability resides in the ranking-exam.php script of Campcodes Online Examination System 1.0. The application accepts the exam_id parameter from user input and concatenates it directly into a SQL query without parameterization or sanitization. This allows an attacker to break out of the intended query context and append arbitrary SQL clauses.
Exploitation requires network access and low-privilege authentication, but no user interaction. Successful injection can yield read and limited write access to backend database tables. Because the application stores exam results, user accounts, and credentials, the impact extends to confidentiality and integrity of academic records. The publicly disclosed proof-of-concept lowers the bar for opportunistic attackers scanning for vulnerable installations.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command [CWE-89]. The exam_id value is passed into a dynamically constructed query without prepared statements or input validation. Any string supplied through the parameter is interpreted as SQL syntax by the backend.
Attack Vector
The attack is initiated remotely over the network against the ranking-exam.php endpoint. An attacker authenticates with low-privilege credentials, then issues a crafted HTTP request supplying malicious SQL payloads in the exam_id parameter. Common techniques include UNION-based extraction, boolean-based blind injection, and time-based blind injection. Refer to the GitHub PoC for SQL Injection for technical reproduction details.
Detection Methods for CVE-2024-4914
Indicators of Compromise
- HTTP requests to ranking-exam.php containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP(, or -- in the exam_id parameter
- Web server access logs showing unusually long or encoded exam_id values
- Database error messages returned in HTTP responses referencing syntax errors
- Outbound database queries with anomalous structure originating from the application user
Detection Strategies
- Deploy web application firewall (WAF) signatures for SQL injection patterns targeting the exam_id parameter
- Enable database query logging and alert on queries that deviate from the application's normal parameter patterns
- Inspect application logs for repeated failed queries or boolean-based probing sequences against ranking-exam.php
Monitoring Recommendations
- Forward web server and database logs to a centralized SIEM for correlation
- Monitor for authenticated sessions issuing high volumes of requests against ranking-exam.php
- Track outbound data transfer volumes from the database host to identify potential exfiltration
How to Mitigate CVE-2024-4914
Immediate Actions Required
- Restrict network access to the Online Examination System to trusted networks or behind a VPN
- Disable or remove the ranking-exam.php endpoint if it is not required in production
- Rotate database credentials and audit accounts for unauthorized modifications
- Deploy WAF rules blocking SQL injection payloads against the affected parameter
Patch Information
No official vendor patch is referenced in the NVD entry for CVE-2024-4914. Organizations running Campcodes Online Examination System 1.0 should monitor the vendor for updates and consider migrating to a supported alternative. Additional details are available via VulDB #264449.
Workarounds
- Implement parameterized queries or prepared statements in ranking-exam.php as a custom code-level fix
- Apply server-side input validation enforcing numeric-only values for the exam_id parameter
- Restrict the database account used by the application to read-only access where feasible
- Place the application behind a reverse proxy with strict request filtering until a vendor fix is available
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
