CVE-2024-4967 Overview
CVE-2024-4967 is a SQL injection vulnerability in SourceCodester Interactive Map with Marker 1.0. The flaw resides in the /endpoint/delete-mark.php script, where the mark parameter is passed to a database query without proper sanitization. Attackers can manipulate this parameter to inject arbitrary SQL statements against the backing database. The vulnerability is exploitable remotely over the network and requires only low-privileged access. Public disclosure of the exploit details has occurred through VulDB entry VDB-264535, increasing the likelihood of opportunistic attacks against exposed instances.
Critical Impact
Remote attackers with low privileges can inject SQL statements through the mark parameter in delete-mark.php, potentially exposing or modifying database contents.
Affected Products
- SourceCodester Interactive Map with Marker 1.0
- Rems Interactive Map with Marker (vendor identifier rems:interactive_map_with_marker)
- Deployments using the vulnerable /endpoint/delete-mark.php endpoint
Discovery Timeline
- 2024-05-16 - CVE-2024-4967 published to NVD
- 2025-02-10 - Last updated in NVD database
Technical Details for CVE-2024-4967
Vulnerability Analysis
The vulnerability is classified under [CWE-89]: Improper Neutralization of Special Elements used in an SQL Command. The delete-mark.php endpoint accepts a mark argument from the client and concatenates it into a SQL query without parameterization or input validation. An attacker supplies crafted SQL syntax through this parameter to alter the original query logic. Successful exploitation may allow reading, modifying, or deleting database records depending on the application's database user privileges. The application requires low privileges to access the endpoint, but no user interaction or social engineering is needed to trigger the flaw.
Root Cause
The root cause is the direct inclusion of user-supplied input into a SQL statement within delete-mark.php. The application does not use prepared statements or parameterized queries, and it does not sanitize or type-check the mark value before query execution. This pattern is a textbook violation of secure database access practices.
Attack Vector
The attack vector is network-based. An authenticated attacker sends an HTTP request to /endpoint/delete-mark.php with a malicious mark parameter containing SQL syntax. Because the exploit has been disclosed publicly through the GitHub SQL Injection Guide, automated scanners and opportunistic attackers can reproduce the attack with minimal effort. Refer to the VulDB #264535 entry for additional technical context.
Detection Methods for CVE-2024-4967
Indicators of Compromise
- HTTP requests targeting /endpoint/delete-mark.php containing SQL meta-characters such as single quotes, UNION, SELECT, --, or ; in the mark parameter
- Web server access logs showing repeated probing of the delete-mark.php endpoint with varying mark values
- Unexpected database errors or anomalous query latency originating from the Interactive Map application
Detection Strategies
- Deploy web application firewall (WAF) rules to inspect query string and POST body parameters for SQL injection patterns directed at delete-mark.php
- Enable database query logging and correlate unusual query structures with HTTP request logs from the application
- Implement signature-based detection for the public proof-of-concept payloads referenced in the GitHub SQL Injection Guide
Monitoring Recommendations
- Monitor outbound database traffic for unexpected INFORMATION_SCHEMA queries or bulk row reads
- Track authentication events that precede requests to vulnerable endpoints to identify abused low-privileged accounts
- Alert on HTTP 500 responses from delete-mark.php, which often indicate SQL syntax errors caused by injection attempts
How to Mitigate CVE-2024-4967
Immediate Actions Required
- Restrict network access to the Interactive Map with Marker application until a patched build is available
- Disable or remove the /endpoint/delete-mark.php endpoint if it is not required for business operations
- Audit application database accounts and revoke unnecessary privileges to limit potential blast radius
- Review web server and database logs for indicators of prior exploitation
Patch Information
No vendor patch has been published for SourceCodester Interactive Map with Marker 1.0 at the time of writing. Organizations using this application should consider migrating to an actively maintained alternative or applying source-level fixes that replace string concatenation with parameterized queries in delete-mark.php.
Workarounds
- Place a WAF in front of the application with rules that block SQL injection payloads targeting the mark parameter
- Apply a source-level patch that uses prepared statements with bound parameters for all database interactions in delete-mark.php
- Enforce strict input validation that rejects any mark value not matching an expected numeric or identifier format
# Example ModSecurity rule blocking SQLi attempts against the vulnerable endpoint
SecRule REQUEST_URI "@contains /endpoint/delete-mark.php" \
"phase:2,chain,deny,status:403,id:1004967,msg:'CVE-2024-4967 SQLi attempt'"
SecRule ARGS:mark "@detectSQLi" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
