CVE-2024-4918 Overview
CVE-2024-4918 is a SQL injection vulnerability in Campcodes Online Examination System 1.0. The flaw resides in the updateQuestion.php script, where the id parameter is passed unsanitized into a SQL query. Remote attackers with low privileges can manipulate this parameter to inject arbitrary SQL statements. The vulnerability was publicly disclosed and assigned VulDB identifier VDB-264453. A proof-of-concept exploit is available, increasing the likelihood of opportunistic attacks against unpatched instances.
Critical Impact
Authenticated attackers can manipulate the id parameter in updateQuestion.php to execute arbitrary SQL queries, exposing examination data and potentially compromising the backend database.
Affected Products
- Campcodes Online Examination System 1.0
- Component: updateQuestion.php
- CPE: cpe:2.3:a:campcodes:online_examination_system:1.0:*:*:*:*:*:*:*
Discovery Timeline
- 2024-05-15 - CVE-2024-4918 published to NVD
- 2025-02-21 - Last updated in NVD database
Technical Details for CVE-2024-4918
Vulnerability Analysis
The vulnerability is classified as SQL Injection [CWE-89]. It affects the question update workflow in Campcodes Online Examination System 1.0. The updateQuestion.php endpoint accepts an id parameter from the client and incorporates it into a SQL statement without parameterization or input validation. This allows an attacker to break out of the intended query context and append arbitrary SQL clauses.
Exploitation requires network access to the application and a low-privileged account, as indicated by the PR:L component of the CVSS vector. No user interaction is needed, and the attack can be automated against exposed instances. The EPSS probability for exploitation is 0.247% at the 47.9 percentile.
Root Cause
The root cause is improper neutralization of special elements used in a SQL command. The application concatenates the user-supplied id value directly into a SQL query string rather than using prepared statements or parameterized queries. This is a common pattern in PHP applications built on the mysqli or legacy mysql_* APIs when developer-supplied input is trusted without sanitization.
Attack Vector
An attacker submits a crafted HTTP request to updateQuestion.php with a malicious payload in the id parameter. Typical payloads use UNION-based, boolean-based, or time-based blind injection techniques to extract data from the underlying database. The publicly available proof-of-concept is hosted on the GitHub PoC Repository, which documents the injection technique and request structure. Additional technical details are tracked under VulDB #264453.
Detection Methods for CVE-2024-4918
Indicators of Compromise
- HTTP requests to updateQuestion.php containing SQL metacharacters such as single quotes, UNION SELECT, SLEEP(, or comment sequences (--, #) in the id parameter.
- Unusual database error messages returned to clients or logged on the web server after requests to the examination application.
- Spikes in response latency on updateQuestion.php consistent with time-based blind SQL injection probing.
- Authenticated sessions issuing repeated requests to the question update endpoint with varying numeric or encoded id values.
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect query parameters for SQL injection signatures, focusing on the updateQuestion.php path.
- Enable verbose web server access logging and review logs for malformed id parameter values.
- Correlate database server logs with web server logs to identify queries containing attacker-controlled clauses originating from the examination application.
Monitoring Recommendations
- Forward Apache/Nginx and MySQL logs to a centralized SIEM for correlation and alerting on injection patterns.
- Monitor for unauthorized changes to the questions table and related schema objects in the examination database.
- Alert on outbound database connections or data exfiltration patterns from the application server.
How to Mitigate CVE-2024-4918
Immediate Actions Required
- Restrict network access to the Campcodes Online Examination System to trusted networks or place it behind a VPN until a fix is applied.
- Deploy WAF rules to block SQL injection payloads targeting the id parameter of updateQuestion.php.
- Audit application database accounts and enforce least privilege, removing FILE, CREATE, and administrative grants where not required.
- Review web and database logs for prior exploitation attempts using the indicators listed above.
Patch Information
No official vendor advisory or patch is listed in the available references for CVE-2024-4918. Organizations operating Campcodes Online Examination System 1.0 should monitor the vendor for updates and apply source-level remediation by replacing the vulnerable query construction in updateQuestion.php with parameterized queries using mysqli prepared statements or PDO with bound parameters.
Workarounds
- Modify updateQuestion.php to validate that the id parameter is strictly numeric before use, for example with intval() or filter_var($id, FILTER_VALIDATE_INT).
- Replace string-concatenated SQL with prepared statements that bind the id value as a typed parameter.
- Apply a virtual patch through a reverse proxy or WAF that rejects non-numeric values in the id parameter.
- If the application is not actively used, take it offline until remediated.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
