CVE-2024-7220 Overview
CVE-2024-7220 is a SQL injection vulnerability in SourceCodester/Campcodes School Log Management System 1.0. The flaw resides in the /admin/print_barcode.php script, where the tbl parameter is passed into a database query without proper sanitization. Attackers can manipulate this parameter to inject arbitrary SQL statements and influence backend query execution.
The vulnerability is exploitable remotely over the network and requires only low-privileged authentication. Public exploit code has been disclosed, lowering the barrier for opportunistic abuse against exposed deployments. The issue is tracked under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).
Critical Impact
Authenticated remote attackers can inject SQL through the tbl parameter of print_barcode.php and access or alter backend database contents in the School Log Management System.
Affected Products
- Oretnom23 School Log Management System 1.0
- SourceCodester Campcodes School Log Management System 1.0
- cpe:2.3:a:oretnom23:school_log_management_system:1.0
Discovery Timeline
- 2024-07-30 - CVE-2024-7220 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2024-7220
Vulnerability Analysis
The vulnerability exists in the administrative barcode printing functionality at /admin/print_barcode.php. The script accepts a tbl request argument and concatenates it into a SQL query executed against the application database. Because the argument is not validated, escaped, or bound as a parameter, attacker-controlled input alters the resulting query structure.
Exploitation can disclose table contents, extract authentication material, or modify records depending on the underlying database privileges. The endpoint sits behind the admin interface, but the low privilege requirement and lack of additional controls allow any authenticated low-tier account to abuse it. Public proof-of-concept material on GitHub Gist demonstrates the injection technique.
Root Cause
The root cause is direct concatenation of unsanitized HTTP request input into a SQL statement. The tbl parameter is treated as a trusted table or query fragment instead of being validated against an allowlist or supplied via parameterized queries. This class of defect maps to [CWE-74] injection weaknesses.
Attack Vector
An attacker with a valid low-privilege session sends a crafted HTTP request to /admin/print_barcode.php with a malicious tbl value. The injected payload modifies the SQL query at runtime. Because the attack is performed over the network with low complexity and no user interaction, automated scanners can identify and abuse vulnerable instances at scale once exposure is known.
The vulnerability manifests as classic SQL injection in the tbl GET/POST parameter. Refer to the GitHub Gist PoC Code and VulDB entry #272791 for the published technical details.
Detection Methods for CVE-2024-7220
Indicators of Compromise
- HTTP requests to /admin/print_barcode.php containing SQL meta-characters such as ', ", UNION, SELECT, SLEEP(, or -- within the tbl parameter.
- Unusual database errors or extended query response times originating from the print_barcode.php endpoint.
- Access to /admin/print_barcode.php from IP addresses or user agents that do not match normal administrative use.
Detection Strategies
- Deploy web application firewall (WAF) signatures targeting SQL injection patterns in the tbl parameter of print_barcode.php.
- Enable database query logging and alert on syntactically anomalous queries against tables referenced by the barcode module.
- Correlate web server access logs with authentication logs to identify low-privilege accounts probing admin endpoints.
Monitoring Recommendations
- Monitor for spikes in 500-class responses or query errors tied to the print_barcode.php route.
- Track outbound data volumes from the database host to detect bulk extraction following injection.
- Alert on repeated failed or malformed requests to /admin/ URIs from the same session or IP.
How to Mitigate CVE-2024-7220
Immediate Actions Required
- Restrict network access to the School Log Management System administrative interface using IP allowlists or VPN-only access.
- Audit existing administrator and low-privilege accounts and disable any that are unused or unrecognized.
- Review web and database logs for prior exploitation attempts referencing the tbl parameter.
Patch Information
No vendor patch is currently listed in the NVD references for CVE-2024-7220. Operators should monitor the VulDB advisory for vendor updates and consider migrating off the affected 1.0 release if no fix becomes available.
Workarounds
- Apply a virtual patch at the WAF that rejects requests to /admin/print_barcode.php containing SQL meta-characters in the tbl parameter.
- Modify print_barcode.php locally to validate tbl against a strict allowlist of permitted table identifiers before use in any query.
- Replace inline query construction with prepared statements using bound parameters in the affected code path.
# Example WAF rule (ModSecurity) blocking SQLi payloads in the tbl parameter
SecRule REQUEST_URI "@contains /admin/print_barcode.php" \
"chain,deny,status:403,id:1002024,msg:'CVE-2024-7220 SQLi attempt'"
SecRule ARGS:tbl "@rx (?i)(union|select|sleep\(|--|';|\"|/\*)" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
