CVE-2024-7639 Overview
CVE-2024-7639 is a SQL injection vulnerability in SourceCodester Kortex Lite Advocate Office Management System 1.0, developed by Mayurik. The flaw resides in delete_act.php, where the id parameter is passed to a backend query without proper sanitization. Authenticated remote attackers can manipulate the id argument to inject arbitrary SQL statements. A public proof-of-concept has been disclosed, increasing the risk of opportunistic exploitation against exposed instances. The vulnerability is tracked under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Attackers with low-privileged access can read, modify, or delete case management records stored in the underlying database by injecting crafted values into the id parameter of delete_act.php.
Affected Products
- Mayurik Advocate Office Management System 1.0
- SourceCodester Kortex Lite Advocate Office Management System 1.0
- delete_act.php endpoint within the application
Discovery Timeline
- 2024-08-12 - CVE-2024-7639 published to NVD
- 2024-08-15 - Last updated in NVD database
Technical Details for CVE-2024-7639
Vulnerability Analysis
The vulnerability is a classic SQL injection in the record deletion workflow of the Kortex Lite Advocate Office Management System. The delete_act.php script accepts the id parameter from the HTTP request and concatenates it directly into a SQL statement executed against the application database. Because the parameter is not validated, sanitized, or bound through prepared statements, attackers can append SQL syntax to alter the original query.
Exploitation can be performed remotely over the network and requires only low-privileged application access. Successful injection allows attackers to enumerate database schemas, exfiltrate sensitive case files and client information, or destroy data referenced by the deletion routine. Public exploitation details are available in the GitHub PoC for SQL Injection and the VulDB entry #274060. The EPSS probability is 0.155% with a percentile rank of 35.75.
Root Cause
The root cause is improper neutralization of user-supplied input in the id query string parameter of delete_act.php. The application constructs SQL queries through string concatenation rather than parameterized statements, allowing injected SQL fragments to be parsed and executed by the database engine.
Attack Vector
An authenticated attacker sends a crafted HTTP request to delete_act.php with a malicious value in the id parameter, such as a boolean-based or UNION-based payload. The injected SQL is concatenated into the deletion query and executed by the database server. No user interaction is required beyond reaching the vulnerable endpoint. Refer to the public PoC linked above for parameter formatting details; no verified exploit code is reproduced here.
Detection Methods for CVE-2024-7639
Indicators of Compromise
- HTTP requests to delete_act.php containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP, or comment sequences (--, #) in the id parameter.
- Database error messages or anomalous response sizes returned from delete_act.php requests.
- Unexpected DELETE, SELECT, or schema enumeration queries originating from the application's database user account.
Detection Strategies
- Inspect web server access logs for GET or POST requests to /delete_act.php containing non-numeric values in id.
- Deploy web application firewall (WAF) signatures targeting common SQL injection patterns aimed at the deletion endpoint.
- Correlate application-tier requests with database audit logs to identify queries that deviate from the expected DELETE FROM ... WHERE id = <int> pattern.
Monitoring Recommendations
- Enable verbose query logging on the MySQL or MariaDB backend to capture parameterized values used in delete operations.
- Alert on repeated 500-series responses or timing anomalies from delete_act.php that indicate injection probing.
- Track outbound data volumes from the application database to detect bulk extraction following successful injection.
How to Mitigate CVE-2024-7639
Immediate Actions Required
- Restrict network access to the Kortex Lite Advocate Office Management System to trusted internal users until a fix is applied.
- Place a WAF in front of the application and block requests to delete_act.php with non-integer id values.
- Audit existing database accounts used by the application and revoke any unnecessary privileges such as FILE or schema modification rights.
Patch Information
At the time of publication, no official vendor advisory or patch has been released by Mayurik for CVE-2024-7639. Organizations should monitor the VulDB entry #274060 and the vendor's distribution channels for updates. If a fix is not forthcoming, consider replacing the application or applying the source-level workarounds below.
Workarounds
- Modify delete_act.php to cast the id parameter to an integer (for example, intval($_GET['id'])) before using it in SQL statements.
- Refactor the deletion query to use prepared statements with bound parameters via PDO or MySQLi.
- Implement server-side input allowlisting that rejects any id value that is not strictly numeric.
- Apply least-privilege principles to the database account used by the application so it cannot read tables outside the deletion scope.
# Example Apache mod_rewrite rule to block non-numeric id values
RewriteEngine On
RewriteCond %{REQUEST_URI} /delete_act\.php$
RewriteCond %{QUERY_STRING} (^|&)id=([^0-9&]|[0-9]*[^0-9&])
RewriteRule ^ - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
