CVE-2024-5119 Overview
CVE-2024-5119 is a SQL injection vulnerability in SourceCodester Event Registration System 1.0, developed by oretnom23. The flaw resides in the /classes/Master.php?f=load_registration endpoint. Attackers can manipulate the last_id or event_id parameters to inject arbitrary SQL statements. The vulnerability is exploitable remotely over the network and requires only low-level authentication. Public disclosure occurred alongside a proof-of-concept on GitHub, and the issue is tracked in VulDB as identifier #265199. The weakness is classified under [CWE-89] for improper neutralization of special elements used in SQL commands.
Critical Impact
Authenticated remote attackers can extract, modify, or delete database contents by injecting SQL through the last_id and event_id parameters of the registration loader.
Affected Products
- Oretnom23 Event Registration System 1.0
- SourceCodester Event Registration System 1.0
- Component: /classes/Master.php?f=load_registration
Discovery Timeline
- 2024-05-20 - CVE-2024-5119 published to NVD
- 2025-02-10 - Last updated in NVD database
Technical Details for CVE-2024-5119
Vulnerability Analysis
The vulnerability stems from unsanitized user input passed directly into SQL queries within the load_registration handler of Master.php. The application accepts the last_id and event_id request parameters and concatenates them into a database query without parameterization or validation. Attackers can append SQL operators, UNION clauses, or conditional payloads to alter query logic.
Exploitation requires network access to the application and a low-privilege account. The attack complexity is low, and no user interaction is needed. Successful exploitation enables disclosure of registration records, credentials, and other database contents. Attackers can also tamper with event data or perform blind injection to enumerate schema structures.
The EPSS probability for this CVE is approximately 0.197%, indicating a low predicted exploitation likelihood despite a public proof-of-concept being available.
Root Cause
The root cause is the direct concatenation of HTTP-supplied parameters into SQL statements. The handler does not use prepared statements or apply input filtering against last_id and event_id. Any value sent through these fields reaches the SQL engine unchanged, allowing query syntax manipulation.
Attack Vector
An authenticated remote attacker sends a crafted HTTP request to /classes/Master.php?f=load_registration with malicious SQL payloads in the last_id or event_id parameters. The injected payload modifies the underlying SELECT statement to return arbitrary data, perform boolean-based extraction, or chain additional queries through stacked statements depending on the database driver in use.
A public proof-of-concept demonstrating the injection technique is hosted on GitHub. See the GitHub PoC for SQL Injection for the full request and payload structure.
Detection Methods for CVE-2024-5119
Indicators of Compromise
- HTTP requests to /classes/Master.php?f=load_registration containing SQL metacharacters such as ', --, UNION, or SLEEP( in the last_id or event_id parameters
- Unexpected database error responses or anomalously long response times tied to the registration loader endpoint
- Web server access logs showing repeated parameter fuzzing against Master.php from a single source
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect last_id and event_id for SQL injection signatures and block non-numeric values
- Enable verbose SQL query logging and alert on query patterns containing UNION SELECT or boolean tautologies originating from the application user
- Correlate authentication events with subsequent abnormal database query volume to identify post-login exploitation attempts
Monitoring Recommendations
- Monitor outbound data volume from the application database to detect bulk extraction
- Track HTTP 500 responses and database driver exceptions emitted by the Event Registration System
- Audit accounts that authenticate and immediately invoke load_registration with abnormal parameter content
How to Mitigate CVE-2024-5119
Immediate Actions Required
- Restrict network access to the Event Registration System to trusted users until a fix is applied
- Disable or remove the application if it is not actively required in the environment
- Review database logs for evidence of prior exploitation against load_registration
- Rotate database credentials and any secrets that may have been exposed through prior queries
Patch Information
No vendor-supplied patch is referenced in the NVD entry for CVE-2024-5119. The Event Registration System 1.0 from oretnom23 is distributed through SourceCodester, and administrators should monitor the vendor for an updated release. Until an official fix is provided, code-level remediation requires replacing concatenated SQL with prepared statements using parameter binding for last_id and event_id.
Workarounds
- Place the application behind a WAF configured to reject SQL metacharacters in the last_id and event_id parameters
- Apply server-side input validation to enforce strictly numeric values for both parameters
- Run the database account used by the application with the least privilege required, removing write and schema-modification rights where possible
- Implement IP allow-listing on the management interface to limit exposure
# Example WAF rule (ModSecurity) to block non-numeric values
SecRule ARGS:last_id|ARGS:event_id "!@rx ^[0-9]+$" \
"id:1005119,phase:2,deny,status:403,\
msg:'CVE-2024-5119 - Non-numeric last_id/event_id blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
