CVE-2024-54930 in Management System
Summary
by MITRE • 12/09/2024
Kashipara E-learning Management System v1.0 is vulnerable to SQL Injection in /admin/delete_student.php.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/22/2025
The Kashipara E-learning Management System version 1.0 contains a critical SQL injection vulnerability located within the administrative component at /admin/delete_student.php. This vulnerability stems from inadequate input validation and improper parameter handling when processing user-supplied data within the student deletion functionality. The flaw allows authenticated administrators to manipulate database queries through malicious input, potentially enabling unauthorized data access, modification, or deletion across the entire learning management system infrastructure.
This vulnerability falls under CWE-89 which specifically addresses SQL injection flaws where untrusted data is incorporated into SQL commands without proper sanitization or parameterization. The attack vector exploits the system's failure to properly escape or validate input parameters before incorporating them into database queries. The vulnerability is particularly concerning as it exists within an administrative endpoint, suggesting that an attacker with valid administrative credentials could leverage this flaw to escalate privileges or extract sensitive information from the database.
The operational impact of this vulnerability extends beyond simple data manipulation to encompass potential system compromise and data integrity breaches. An attacker could exploit this weakness to extract user credentials, student records, course materials, and other sensitive educational data. The vulnerability also presents opportunities for data corruption and system availability disruption through malicious query execution. Given that this affects an e-learning management system, the compromised data could include personal information of students, academic records, and institutional data that may be subject to regulatory compliance requirements such as gdpr orFERPA.
The exploitation of this vulnerability aligns with ATT&CK technique T1078 which covers valid accounts and T1046 which covers network service scanning. Attackers could potentially use this flaw to move laterally within the system or escalate privileges through database access. The vulnerability also relates to T1190 which involves exploiting vulnerabilities in web applications and T1005 which covers data from local system. Organizations should implement immediate mitigations including input validation, parameterized queries, and proper access controls. The system should be updated to the latest patched version or alternative security measures such as web application firewalls should be deployed to prevent exploitation attempts. Additionally, regular security assessments and code reviews should be conducted to identify similar vulnerabilities in other components of the e-learning platform.