CVE-2024-54790 identifies a SQL Injection vulnerability in the PHPGurukul Pre-School Enrollment System version 1.0, located in the /index.php script. The vulnerability arises from improper sanitization of the 'visittime' parameter, which is directly used in SQL queries without adequate validation or parameterization. This flaw allows remote attackers to inject arbitrary SQL commands, leading to unauthorized code execution on the backend database server. The vulnerability is exploitable over the network without requiring authentication but does require some user interaction, such as visiting a crafted URL containing malicious parameters. The CVSS v3.1 base score is 7.5, reflecting high impact on confidentiality, integrity, and availability, with an attack vector of network, high attack complexity, no privileges required, and user interaction needed. Although no public exploits are currently known, the vulnerability is critical due to the potential for attackers to execute arbitrary code, extract sensitive data, or disrupt service. The affected software is used primarily in educational environments for managing preschool enrollments, which may contain sensitive personal data of children and parents. The lack of available patches or updates increases the urgency for organizations to implement mitigations. This vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), a common and dangerous injection flaw.

The impact of CVE-2024-54790 is significant for organizations using the PHPGurukul Pre-School Enrollment System. Successful exploitation can lead to unauthorized disclosure of sensitive personal data, including children's and parents' information, violating privacy regulations such as GDPR or COPPA. Attackers can manipulate or delete enrollment data, causing operational disruptions and loss of data integrity. The ability to execute arbitrary code on the database server may allow attackers to pivot deeper into the network, potentially compromising other systems. Availability may also be affected if attackers disrupt database operations or launch denial-of-service conditions. Educational institutions and service providers relying on this system could face reputational damage, regulatory penalties, and operational downtime. The vulnerability's network accessibility and lack of authentication requirements increase the risk of widespread exploitation if left unmitigated.

To mitigate CVE-2024-54790, organizations should immediately implement strict input validation and sanitization for the 'visittime' parameter and any other user-supplied inputs. Employ parameterized queries or prepared statements to prevent SQL injection attacks. Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. Monitor web server and database logs for suspicious activities related to the 'visittime' parameter or unusual SQL queries. If possible, deploy web application firewalls (WAFs) with rules targeting SQL injection patterns specific to this vulnerability. Since no official patch is currently available, consider isolating the affected system from public networks or limiting access to trusted users only. Regularly back up enrollment data and test restoration procedures to minimize data loss risks. Educate staff about phishing and social engineering tactics that might be used to trigger user interaction required for exploitation.