CVE-2024-48245 identifies a SQL Injection vulnerability in Vehicle Management System 1.0, specifically in the handling of POST parameters within administrative functionalities such as booking and payment confirmation. The affected parameters include 'Booking ID', 'Action Name', and 'Payment Confirmation ID' found in /newvehicle.php and /newdriver.php scripts. SQL Injection (CWE-89) occurs when user-supplied input is improperly sanitized, allowing attackers to manipulate backend SQL queries. This vulnerability enables an attacker with at least some level of authenticated access (as indicated by the CVSS vector PR:H) to inject malicious SQL commands, potentially leading to unauthorized data access, data modification, or deletion, and disruption of service. The CVSS score of 7.2 (high) reflects the network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are known, the vulnerability poses a significant threat to organizations using this system, especially if administrative access controls are weak or compromised. The lack of available patches increases the urgency for mitigation through secure coding practices and access restrictions.

The impact of CVE-2024-48245 is substantial for organizations using Vehicle Management System 1.0. Exploitation can lead to unauthorized disclosure of sensitive data such as booking details and payment confirmations, undermining confidentiality. Integrity can be compromised by altering booking records or payment statuses, potentially causing financial loss or operational disruption. Availability may also be affected if attackers execute destructive SQL commands or cause database corruption. Given the administrative nature of the affected endpoints, attackers could gain elevated control over vehicle and driver management functions, impacting fleet operations. This could result in reputational damage, regulatory penalties, and operational downtime. Organizations with large fleets or critical transportation infrastructure are particularly vulnerable, as disruption could cascade into broader logistical challenges.

To mitigate CVE-2024-48245, organizations should immediately implement input validation and sanitization for all POST parameters, especially 'Booking ID', 'Action Name', and 'Payment Confirmation ID'. Employ parameterized queries or prepared statements to prevent SQL Injection. Restrict administrative access to trusted users and enforce strong authentication and authorization controls to limit exposure. Conduct thorough code reviews and security testing focusing on injection flaws. Monitor logs for suspicious database queries or anomalies in booking and payment processes. If patches become available from the vendor, prioritize their deployment. Additionally, consider implementing Web Application Firewalls (WAFs) with SQL Injection detection rules as a temporary protective measure. Regularly update and audit the Vehicle Management System and related components to reduce attack surface.