CVE-2024-8380 in Contact Manager with Export to VCF
Summary
by MITRE • 09/03/2024
A vulnerability was found in SourceCodester Contact Manager with Export to VCF 1.0. It has been rated as critical. This issue affects some unknown processing of the file /endpoint/delete-account.php of the component Delete Contact Handler. The manipulation of the argument contact leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/25/2025
The vulnerability identified as CVE-2024-8380 represents a critical sql injection flaw within the SourceCodester Contact Manager with Export to VCF 1.0 application. This security weakness resides in the delete-account.php endpoint which processes the Delete Contact Handler functionality. The vulnerability manifests when the application fails to properly sanitize or validate user input passed through the contact argument parameter, creating an avenue for malicious actors to manipulate database operations through crafted input sequences. The critical rating indicates the severity of potential impact, suggesting that successful exploitation could lead to complete system compromise or data breach.
The technical exploitation of this vulnerability occurs through remote attack vectors, meaning that malicious actors can initiate the sql injection attack without requiring physical access to the target system. The flaw specifically affects the processing of the contact parameter within the delete-account.php file, where user-supplied data is directly incorporated into sql query construction without adequate input validation or parameterization. This type of vulnerability directly maps to CWE-89 which categorizes sql injection as a fundamental weakness in software design where untrusted data is embedded into sql commands. The attack surface is particularly concerning as it involves account deletion functionality, which could potentially be leveraged to escalate privileges or disrupt service availability.
From an operational standpoint, this vulnerability poses significant risks to organizations utilizing the affected contact management system. Remote exploitation allows attackers to execute arbitrary sql commands against the underlying database, potentially leading to unauthorized data access, data modification, or complete database compromise. The disclosure of exploit details to the public further amplifies the threat landscape, as it enables both skilled and less experienced threat actors to target vulnerable installations. The impact extends beyond simple data theft, as sql injection attacks can be used to establish persistent access, create backdoors, or perform privilege escalation attacks. The delete contact handler component suggests that attackers could potentially manipulate user account information or delete legitimate contacts, disrupting business operations.
The recommended mitigations for CVE-2024-8380 involve immediate implementation of input validation and parameterized queries to prevent sql injection attacks. Organizations should apply the vendor-supplied patch or update to the latest version of the SourceCodester Contact Manager application. Additionally, implementing proper input sanitization measures including whitelisting of valid contact identifiers and using prepared statements for all database operations will significantly reduce the risk of exploitation. Network segmentation and access controls should be enforced to limit exposure of the vulnerable endpoint. The ATT&CK framework categorizes this vulnerability under T1190 - Exploit Public-Facing Application, highlighting the need for comprehensive application security testing and monitoring. Regular security assessments should be conducted to identify similar vulnerabilities in other components of the system, as sql injection remains one of the most prevalent attack vectors in web applications.