CVE-2024-24099 identifies a SQL Injection vulnerability in the Code-projects Scholars Tracking System version 1.0, specifically within the Employment Status Information Update feature. SQL Injection (CWE-89) occurs when user-supplied input is improperly sanitized before being incorporated into SQL queries, allowing attackers to manipulate the database queries executed by the application. In this case, an authenticated user with low privileges can inject malicious SQL commands, potentially accessing or modifying sensitive data related to employment status records. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score of 5.4 indicates medium severity, with attack vector as network, low attack complexity, requiring privileges, no user interaction, and impacting confidentiality and integrity but not availability. No patches or known exploits have been reported as of the publication date. The lack of patches means organizations must rely on mitigation strategies such as input validation, query parameterization, and least privilege principles until an official fix is available. Given the nature of the affected system—used for tracking scholar employment information—data confidentiality and integrity are critical, and exploitation could lead to unauthorized data disclosure or unauthorized data modification.

The primary impact of this vulnerability is on the confidentiality and integrity of employment status data within the Scholars Tracking System. Attackers exploiting this flaw can potentially read sensitive information, such as employment details of scholars, or alter records, leading to data corruption or misinformation. Although availability is not affected, the breach of confidentiality and integrity can have serious consequences, including privacy violations, reputational damage, and compliance issues for organizations managing scholar data. Since the vulnerability requires authentication with low privileges, insider threats or compromised user accounts pose a significant risk. Organizations relying on this system, especially educational institutions and scholarship management bodies, may face operational disruptions and legal liabilities if sensitive data is exposed or altered. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future.

To mitigate this vulnerability, organizations should implement strict input validation and sanitization on all user inputs related to Employment Status Information Update. Employing parameterized queries or prepared statements is critical to prevent SQL Injection attacks. Review and enforce the principle of least privilege on database accounts used by the application, ensuring they have only necessary permissions to limit potential damage. Monitor logs for unusual database query patterns that may indicate attempted exploitation. Until an official patch is released, consider isolating the affected system from untrusted networks and restricting access to trusted users only. Conduct security awareness training for users with access to reduce the risk of credential compromise. Additionally, perform regular security assessments and code reviews focusing on input handling to identify and remediate similar vulnerabilities proactively.