SourceCodeester Attendance System SQL Injection (CVE-2024-10422)

### Key Information **Vulnerability Name:** - **SourceCodeester Attendance and Payroll System 1.0 /admin/overtime_add.php ID SQL Injection** **Vulnerability ID:** - **VDB-281963** - **CVE-2024-10422** **Affected Version:** - **SourceCodeester Attendance and Payroll System 1.0** **Vulnerability Description:** - **CVSS Meta Temp Score:** 6.0 - **Current Exploit Price:** $0-$5k - **CTI Interest Score:** 1.33 **Impact:** - **Issue Description:** A critical vulnerability has been identified in the file `/admin/overtime_add.php`. Manipulation of the parameter `id` with untrusted input leads to an SQL injection vulnerability. - **CWE ID:** CWE-89 - **Issue Description:** The product constructs SQL commands using external, untrusted input, but does not properly neutralize or fails to neutralize special elements that could alter the intended SQL command when sent to downstream components. - **Impact:** Affects confidentiality, integrity, and availability. **Vulnerability Details:** - **Identification:** Classified as critical, affecting file `/admin/overtime_add.php`. - **Issue Description:** Manipulation of the parameter `id` via untrusted input results in SQL injection. - **Attack Possibility:** Remote attack possible. - **Disclosure:** Publicly disclosed, potentially exploitable. **Exploitation and Publicity:** - **Exploitation:** Public exploit available. - **Publicity:** Publicly disclosed. - **Technical Details:** Known. - **Public Exploit:** Known. - **Attack Technique:** According to MITRE ATT&CK, uses T1505 technique. **Exploit Tools and Resources:** - **Exploit Tools:** Available on github.com. - **Public Exploit:** Available on github.com. - **Public Exploit:** Publicly disclosed. - **Exploit Method:** Vulnerable targets can be found by searching `inurl:admin/overtime_add.php`. **Recommendations and Solutions:** - **Recommendation:** Replace affected components. - **Alternative Products:** Refer to similar entries such as VDB-198322, VDB-198323, VDB-198324, and VDB-198325. **Copyright and License:** - **Copyright:** 1997-2024 vuldb.com, CC by-nc-sa - **Language Support:** de, fr, it, es, pt, ru, pl, sv, zh, ja, ar - **Version:** v18.8.3

Goal Reached Thanks to every supporter — we hit 100%!

SourceCodeester Attendance System SQL Injection (CVE-2024-10422)

More from this source