CVE-2024-28323 identifies a SQL injection vulnerability in the bwdates-report-result.php script within the Phpgurukul User Registration & Login and User Management System version 3.1. The vulnerability stems from improper validation of user-supplied date inputs, which are directly incorporated into SQL queries without sanitization or parameterization. This allows an attacker to craft malicious input that alters the intended SQL command, potentially enabling unauthorized data access or modification. The vulnerability does not require authentication or user interaction, making it remotely exploitable over the network. The CVSS 3.1 base score of 6.5 reflects that the attack vector is network-based with low attack complexity, no privileges required, and no user interaction needed. The impact affects confidentiality and integrity but not availability. No patches or known exploits are currently documented, but the presence of CWE-89 (SQL Injection) indicates a classic injection flaw. This vulnerability highlights the critical need for secure coding practices such as input validation, prepared statements, and least privilege database access in PHP-based web applications.

If exploited, this vulnerability could allow attackers to access sensitive user data stored in the database, including potentially personal information managed by the user registration system. Attackers might also modify or delete data, undermining data integrity. While availability is not directly impacted, the breach of confidentiality and integrity could lead to reputational damage, regulatory penalties, and loss of user trust for affected organizations. Because no authentication is required, attackers can exploit this remotely, increasing the risk of widespread attacks if the system is exposed to the internet. Organizations relying on this software for user management or authentication may face increased risk of data breaches or unauthorized access incidents.

Organizations should immediately audit the bwdates-report-result.php script and any other components handling user input for proper validation and sanitization. Implement parameterized queries or prepared statements to prevent SQL injection. Employ input validation to restrict date inputs to expected formats and ranges. Conduct code reviews and penetration testing focused on injection flaws. Restrict database user privileges to the minimum necessary to limit potential damage. Monitor logs for suspicious query patterns indicative of injection attempts. If possible, isolate or restrict access to the vulnerable system until patches or fixes are applied. Engage with the software vendor or community to obtain or develop patches. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block SQL injection attempts targeting this endpoint.