CVE-2024-7375 Overview
CVE-2024-7375 is a SQL injection vulnerability in SourceCodester Simple Realtime Quiz System 1.0, developed by oretnom23. The flaw resides in the /my_quiz_result.php script, where the quiz parameter is passed to a database query without proper sanitization. Authenticated attackers can manipulate the parameter remotely to inject arbitrary SQL statements. Public exploit code has been disclosed, lowering the barrier for opportunistic abuse. The vulnerability maps to [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Remote attackers with low privileges can extract, modify, or destroy quiz database contents by injecting SQL through the quiz HTTP parameter in /my_quiz_result.php.
Affected Products
- Oretnom23 Simple Realtime Quiz System 1.0
- File: /my_quiz_result.php
- Vulnerable parameter: quiz
Discovery Timeline
- 2024-08-02 - CVE-2024-7375 published to NVD
- 2024-08-09 - Last updated in NVD database
Technical Details for CVE-2024-7375
Vulnerability Analysis
The vulnerability stems from unsanitized handling of the quiz request parameter inside /my_quiz_result.php. The application concatenates the user-supplied value directly into a SQL query string rather than using parameterized statements. As a result, attackers can break out of the intended query context and append arbitrary SQL clauses.
Exploitation requires network access to the application and a low-privilege authenticated session. No user interaction is required, and the attack complexity is low. Successful exploitation can disclose stored user records, quiz answers, and authentication material, and can also allow data tampering through UPDATE or DELETE payloads stacked onto the injected statement.
The exploit has been disclosed publicly via a GitHub Gist referenced in VulDB #273359, increasing the likelihood of automated scanning against exposed instances. The EPSS probability remains low, but public availability of the proof of concept means defenders should treat exposure as actionable.
Root Cause
The root cause is improper neutralization of special characters in SQL query construction [CWE-89]. The quiz argument is interpolated into a query without prepared statements, input validation, or output encoding. Any character with SQL semantics, such as single quotes, parentheses, or comment markers, is interpreted by the database engine.
Attack Vector
An attacker submits a crafted HTTP request to /my_quiz_result.php with a malicious quiz parameter value. The injection payload typically includes a UNION SELECT clause to exfiltrate data from adjacent tables, or boolean-based predicates to enumerate records blindly. See the public exploit gist for the disclosed proof-of-concept request format.
Detection Methods for CVE-2024-7375
Indicators of Compromise
- HTTP requests to /my_quiz_result.php containing SQL metacharacters such as ', --, UNION, or SLEEP( in the quiz parameter.
- Unexpected SELECT, UNION, or INFORMATION_SCHEMA queries in MySQL/MariaDB query logs originating from the quiz application user.
- Web server access logs showing repeated requests to my_quiz_result.php from a single source with varying quiz values.
Detection Strategies
- Deploy web application firewall (WAF) signatures for SQL injection patterns targeting the quiz parameter on the /my_quiz_result.php endpoint.
- Enable database query logging and alert on queries containing UNION SELECT or comment sequences from the quiz application service account.
- Correlate authentication events with anomalous query volume from the same session to identify automated injection attempts.
Monitoring Recommendations
- Forward web server and database logs to a centralized analytics platform for correlation and retention.
- Establish baseline request rates for /my_quiz_result.php and alert on deviations.
- Monitor outbound connections from the database host for signs of post-exploitation data exfiltration.
How to Mitigate CVE-2024-7375
Immediate Actions Required
- Restrict network access to the Simple Realtime Quiz System until a patch is available, exposing it only to trusted networks or behind a VPN.
- Deploy a WAF rule that blocks SQL metacharacters in the quiz parameter sent to /my_quiz_result.php.
- Audit the underlying database for unauthorized read or write activity since the application was first deployed.
- Rotate credentials for any accounts whose data may have been stored in the affected database.
Patch Information
No official vendor patch has been published for Simple Realtime Quiz System 1.0 at the time of NVD publication. Organizations should refer to the VulDB CTI Report #273359 for tracking updates. If source code modifications are feasible, replace string-concatenated queries in my_quiz_result.php with parameterized queries using PHP PDO::prepare() or mysqli_prepare(), and apply server-side input validation to the quiz parameter.
Workarounds
- Place the application behind an authenticating reverse proxy that filters request parameters.
- Apply database-level least privilege so the application account cannot read sensitive tables or execute administrative statements.
- Disable or remove the /my_quiz_result.php endpoint if it is not required for business operations.
# Example ModSecurity rule to block SQLi in the quiz parameter
SecRule ARGS:quiz "@detectSQLi" \
"id:1007375,phase:2,deny,status:403,\
msg:'CVE-2024-7375 SQLi attempt on my_quiz_result.php',\
logdata:'Matched data: %{MATCHED_VAR}'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
