CVE-2024-5234 in Complete Web-Based School Management Systeminfo

Summary

by MITRE • 05/23/2024

A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /view/teacher_salary_history1.php. The manipulation of the argument index leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-265985 was assigned to this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/12/2026

The vulnerability in Campcodes Complete Web-Based School Management System version 1.0 represents a critical sql injection flaw that compromises the integrity of the entire system. This vulnerability exists within the /view/teacher_salary_history1.php file where user input is improperly handled during the processing of the index argument. The flaw allows malicious actors to inject arbitrary sql commands through the index parameter, potentially gaining unauthorized access to sensitive educational data including teacher salary information, personal details, and institutional records. The vulnerability has been publicly disclosed and is actively being exploited, making it particularly dangerous for organizations using this software. According to the Common Weakness Enumeration database, this vulnerability maps to CWE-89 which specifically addresses sql injection vulnerabilities where untrusted data is directly incorporated into sql queries without proper sanitization or parameterization.

The operational impact of this vulnerability extends far beyond simple data theft, as it provides attackers with the capability to manipulate the underlying database structure and potentially escalate privileges within the application. Remote exploitation means that attackers do not require physical access to the network or system to exploit this vulnerability, making it accessible to anyone with internet connectivity and knowledge of the targeted system. The attack surface is broad since the index argument is likely used across multiple functionalities within the teacher salary history module, potentially allowing for widespread data compromise. Organizations using this software face significant risk of data breaches, regulatory violations, and potential legal consequences due to the exposure of sensitive personal and financial information of educational staff members.

Mitigation strategies for this vulnerability must be implemented immediately and comprehensively. The primary solution involves implementing proper input validation and parameterized queries throughout the application, specifically within the teacher_salary_history1.php file and related components. All user-supplied input should be sanitized and validated before processing, with strict type checking and length restrictions applied to the index argument. Database access should be restricted through proper privilege management, ensuring that application accounts have minimal necessary permissions and that direct sql execution is minimized. Organizations should also deploy web application firewalls and intrusion detection systems to monitor for suspicious sql injection patterns. According to the mitre attack framework, this vulnerability could be categorized under initial access techniques, specifically through the use of sql injection as a means to establish persistence and escalate privileges. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities throughout the application codebase, while automated vulnerability scanning tools should be employed to continuously monitor for similar issues across the entire system infrastructure.

Responsible

VulDB

Disclosure

05/23/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00407

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!