CVE-2024-53603 identifies a SQL Injection vulnerability in the PHPGurukul COVID 19 Testing Management System version 1.0, located in the password recovery functionality (/covid-tms/password-recovery.php). The vulnerability arises due to improper sanitization of the 'contactno' POST parameter, which is used in SQL queries without adequate validation or parameterization. This allows remote attackers to inject malicious SQL statements, potentially leading to arbitrary code execution on the backend database server. The vulnerability has a CVSS 3.1 base score of 7.3, indicating high severity. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring privileges (PR:L) and user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality and integrity is high (C:H/I:H), while availability impact is none (A:N). Although no public exploits are currently known, the vulnerability poses a significant risk due to the sensitive nature of the application managing COVID-19 testing data. The CWE classification is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

The exploitation of this SQL Injection vulnerability could allow attackers to bypass authentication mechanisms, retrieve sensitive personal and health-related data, and potentially execute arbitrary code on the backend database server. This compromises the confidentiality and integrity of critical COVID-19 testing data, which may include personally identifiable information (PII) and health records. Such a breach could lead to privacy violations, regulatory penalties, and loss of public trust. Additionally, attackers might leverage this vulnerability to pivot within the network, escalating privileges or deploying further attacks. Given the critical role of COVID-19 testing management systems in public health, disruption or data compromise could have broader societal impacts.

To mitigate this vulnerability, organizations should immediately review and sanitize all user inputs, especially the 'contactno' parameter in the password recovery module. Implement parameterized queries or prepared statements to prevent SQL Injection. If a patch from the vendor is unavailable, consider applying web application firewall (WAF) rules to detect and block malicious SQL payloads targeting this endpoint. Conduct thorough code audits to identify and remediate similar injection flaws elsewhere in the application. Restrict access to the password recovery functionality to authenticated users where possible, and monitor logs for suspicious activity related to SQL errors or injection attempts. Additionally, enforce the principle of least privilege on the database user accounts to limit the potential damage of a successful injection.