CVE-2024-2283 in Automated-Mess-Management-System
Summary
by MITRE • 03/08/2024
A vulnerability classified as critical has been found in boyiddha Automated-Mess-Management-System 1.0. Affected is an unknown function of the file /member/view.php. The manipulation of the argument date leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-256050 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/12/2025
This critical sql injection vulnerability exists in the Automated-Mess-Management-System version 1.0 developed by boyiddha, specifically within the member/view.php component. The flaw occurs when the application fails to properly sanitize user input passed through the date parameter, allowing malicious actors to inject arbitrary sql commands into the database query execution process. The vulnerability is particularly concerning as it affects a core functionality component that handles member data viewing operations, making it a prime target for attackers seeking unauthorized database access. The sql injection vulnerability stems from improper input validation and parameter handling practices where the date argument is directly incorporated into sql queries without adequate sanitization or prepared statement usage. This allows attackers to manipulate the sql execution flow and potentially extract sensitive information, modify database records, or even execute administrative commands on the underlying database system. The remote exploitability of this vulnerability means that attackers can leverage this flaw from external networks without requiring physical access to the system, significantly expanding the attack surface and potential impact. The vulnerability has been publicly disclosed and is actively being used in the wild according to VDB-256050, indicating that threat actors have already developed working exploits. This lack of vendor response despite early notification creates additional risk for organizations using this system, as there are no official patches or mitigations available from the software vendor. The vulnerability aligns with CWE-89 sql injection weakness classification and represents a significant threat under the attack technique framework where adversaries use sql injection to gain unauthorized access to sensitive data. Organizations utilizing this system face potential data breaches, unauthorized modifications to meal records, member information exposure, and possible complete database compromise. The attack vector specifically targets the date parameter handling within the view.php file, making it essential for security teams to immediately implement defensive measures and conduct thorough vulnerability assessments of their member management systems. This vulnerability demonstrates the critical importance of input validation, proper database query construction using parameterized statements, and maintaining up-to-date security practices in web applications. The lack of vendor response further emphasizes the need for organizations to implement immediate compensating controls and consider alternative solutions while monitoring for signs of exploitation attempts in their network traffic and system logs.