CVE-2024-24092 identifies a SQL Injection vulnerability in the Scholars Tracking System 1.0 developed by Code-projects.org, specifically targeting the login.php script. SQL Injection (CWE-89) vulnerabilities occur when user-supplied input is improperly sanitized and directly embedded into SQL queries, allowing attackers to manipulate the database query logic. In this case, the vulnerability enables an attacker with low privileges and local access to inject arbitrary SQL commands, which can lead to unauthorized data access, modification, or deletion, and potentially arbitrary code execution depending on the database backend and environment. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates that exploitation requires local access but minimal privileges and no user interaction, with high impact on confidentiality, integrity, and availability. The absence of a patch or known exploits in the wild suggests this is a recently disclosed vulnerability. However, the presence of such a flaw in a login mechanism is critical because it can allow attackers to bypass authentication, escalate privileges, or compromise the entire system. The vulnerability affects the Scholars Tracking System 1.0, which is used for managing academic tracking and records, making the data sensitive and valuable. The lack of version specifics beyond 1.0 implies all deployments of this version are potentially vulnerable. The vulnerability was reserved in January 2024 and published in March 2024, indicating a recent discovery. The technical details confirm the vulnerability is recognized and cataloged by MITRE and CVE databases, but no official patch or mitigation guidance has been released yet.

The impact of CVE-2024-24092 is significant for organizations using the Scholars Tracking System 1.0, especially educational institutions managing sensitive student data. Successful exploitation can lead to full compromise of the database, exposing confidential student records, academic performance, and personal information. Attackers could alter or delete records, undermining data integrity and trustworthiness. The ability to execute arbitrary code could allow attackers to pivot within the network, escalate privileges, or deploy malware, impacting system availability and operational continuity. Given the vulnerability requires local access and low privileges, insider threats or attackers who gain initial foothold could exploit it to deepen their access. The lack of known exploits in the wild reduces immediate risk but does not eliminate it, as public disclosure may prompt attackers to develop exploits. Organizations worldwide that rely on this system or similar PHP-based academic tracking applications are at risk, particularly those with limited security controls or outdated software management practices. The high CVSS score reflects the broad potential damage and ease of exploitation once local access is obtained.

1. Immediate mitigation should focus on restricting local access to the server hosting the Scholars Tracking System to trusted personnel only, minimizing the risk of exploitation. 2. Implement strict input validation and sanitization on all user inputs, especially in login.php, to prevent injection of malicious SQL code. 3. Refactor the application code to use parameterized queries or prepared statements instead of dynamic SQL concatenation. 4. Limit database user permissions to the minimum necessary, avoiding use of highly privileged accounts for application database connections. 5. Monitor logs for unusual database query patterns or repeated failed login attempts that may indicate exploitation attempts. 6. If possible, isolate the application environment using containerization or sandboxing to limit the blast radius of a potential compromise. 7. Engage with the software vendor or community to obtain or develop patches addressing this vulnerability. 8. Conduct regular security assessments and penetration testing focused on injection vulnerabilities. 9. Educate administrators and developers about secure coding practices to prevent similar issues in future versions. 10. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting login.php.