CVE-2024-52675 identifies a critical SQL Injection vulnerability in the SourceCodester Sentiment Based Movie Rating System version 1.0, located in the /msrps/movies.php script. SQL Injection (CWE-89) occurs when user-supplied input is improperly sanitized before being incorporated into SQL queries, allowing attackers to manipulate the database queries executed by the application. This vulnerability is remotely exploitable over the network without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact is severe, with potential for complete compromise of the backend database, including unauthorized data access, data modification, or deletion, and possibly full system compromise if the database server has elevated privileges. The vulnerability was reserved on November 15, 2024, and published on November 19, 2024, with no patches currently available. Although no exploits have been observed in the wild, the high CVSS score (9.8) reflects the ease of exploitation and the critical impact on confidentiality, integrity, and availability. The affected software is a niche movie rating system, but similar web applications with comparable vulnerabilities could be targeted. The lack of authentication requirements and user interaction makes this vulnerability particularly dangerous for exposed web servers.

The potential impact of CVE-2024-52675 is significant for organizations using the affected movie rating system or similar web applications. Successful exploitation can lead to unauthorized disclosure of sensitive data, including user information and movie ratings, which may be proprietary or commercially sensitive. Attackers could alter or delete data, undermining the integrity of the system and damaging user trust. Additionally, attackers might leverage the database access to pivot to other internal systems, potentially leading to broader network compromise. The availability of the service could be disrupted through destructive SQL commands or denial-of-service conditions. Given the critical severity and ease of exploitation, organizations face risks of data breaches, reputational damage, regulatory penalties, and operational downtime. The absence of patches increases the urgency for immediate mitigation. Industries relying on web-based rating or content management systems, especially in entertainment, media, and online platforms, are particularly vulnerable.

To mitigate CVE-2024-52675, organizations should implement the following specific measures: 1) Immediately audit the /msrps/movies.php endpoint and any similar input-handling scripts for SQL Injection vulnerabilities. 2) Apply input validation and sanitization rigorously, ensuring that all user inputs are treated as untrusted. 3) Refactor database queries to use parameterized prepared statements or stored procedures to prevent direct injection of user input into SQL commands. 4) Employ Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL Injection attempts targeting the affected endpoint. 5) Monitor database logs and application logs for unusual query patterns or errors indicative of injection attempts. 6) Restrict database user privileges to the minimum necessary to limit the impact of potential exploitation. 7) If possible, isolate the affected application in a segmented network zone to reduce lateral movement risks. 8) Stay alert for official patches or updates from the software vendor and apply them promptly once available. 9) Conduct regular security assessments and penetration testing focused on injection vulnerabilities. 10) Educate developers on secure coding practices to prevent similar vulnerabilities in future development.