CVE-2024-2712 in Complete Online DJ Booking Systeminfo

Summary

by MITRE • 03/21/2024

A vulnerability, which was classified as critical, has been found in Campcodes Complete Online DJ Booking System 1.0. This issue affects some unknown processing of the file /admin/user-search.php. The manipulation of the argument searchdata leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257465 was assigned to this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/21/2025

This critical vulnerability resides within the Campcodes Complete Online DJ Booking System version 1.0, specifically targeting the administrative user search functionality. The flaw manifests in the /admin/user-search.php file where improper input validation allows malicious actors to inject arbitrary SQL commands through the searchdata parameter. This represents a classic sql injection vulnerability that fundamentally undermines the application's database security controls and exposes sensitive user information to unauthorized access.

The technical exploitation occurs when an attacker crafts malicious input containing sql payload within the searchdata argument, which then gets processed without adequate sanitization or parameterization. This vulnerability falls under CWE-89 which specifically addresses sql injection flaws where untrusted data is directly incorporated into sql command structures. The remote attack vector means that threat actors can exploit this weakness from outside the network boundary without requiring local system access or credentials, making it particularly dangerous for web applications.

The operational impact of this vulnerability extends beyond simple data theft, as it allows attackers to potentially escalate privileges, extract complete user databases, modify or delete sensitive information, and in severe cases gain full administrative control over the booking system. The disclosed exploit (VDB-257465) indicates that this vulnerability has already been weaponized by threat actors, increasing the risk of active exploitation in the wild. Organizations running this version of the booking system face significant exposure to data breaches, user credential compromise, and potential service disruption.

Mitigation strategies should prioritize immediate patching of the affected application to the latest version that addresses this sql injection vulnerability. Until a patch is available, administrators should implement input validation controls, parameterized queries, and web application firewalls to filter malicious sql payloads. Network segmentation and access controls should be strengthened to limit exposure of administrative interfaces. The vulnerability demonstrates the importance of proper input sanitization and parameterized database queries as outlined in the OWASP Top Ten and MITRE ATT&CK framework's database access techniques. Regular security assessments and vulnerability scanning should be conducted to identify similar weaknesses in other application components and ensure comprehensive protection against similar sql injection attacks.

Responsible

VulDB

Reservation

03/20/2024

Disclosure

03/21/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00601

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!