CVE-2024-1928 · A vulnerability, which was classified as critical, has been found in SourceCodester Web-Based Student Clearance System 1.0.

01 · The Real Story

This is a lockpick hidden inside the janitor's closet, not a rock through the front window

CVE-2024-1928 is an SQL injection flaw in SourceCodester Web-Based Student Clearance System 1.0. The vulnerable path is /admin/edit-admin.php on the *Edit User Profile* workflow, where the Fullname parameter is reported as injectable. The affected software appears to be the single downloadable 1.0 release published on SourceCodester; I could not find a newer fixed upstream release or vendor patch advisory.

The original CNA score of 4.7 / MEDIUM is closer to reality than the later NVD enrichment to 7.2 / HIGH. The decisive friction is PR:H: an attacker already needs high-privilege application access to reach the vulnerable form, which makes this a post-auth, narrow-reach bug in a low-footprint PHP app rather than an internet-scale initial-access event.

"This is post-auth admin-panel SQLi in niche PHPware, not a fleet-wide fire drill."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get into the admin panel

The attacker must first obtain a valid admin session for the application's /admin area. That can happen through stolen credentials, password reuse, exposed demo credentials left unchanged, or an earlier bug such as the adjacent unauthenticated login SQLi CVE-2024-1927. Tooling is trivial: a browser, Burp Suite, or curl is enough.

Conditions required:

The target actually runs SourceCodester Web-Based Student Clearance System 1.0
The admin interface is reachable to the attacker
The attacker has high-privilege application credentials or chained prior compromise

Where this breaks in practice:

This prerequisite implies post-initial-access in most enterprises
Niche academic PHP projects have limited enterprise deployment footprint
Modern SSO, MFA, VPN gating, or simple non-exposure of /admin cuts off this step

Detection/coverage: Standard vuln scanners may miss this because authenticated admin coverage is uncommon. Web logs should still show access to /admin/edit-admin.php under privileged sessions.

STEP 02

Reach the Edit User Profile form

After authentication, the attacker navigates to the admin user-management workflow and opens the edit profile page handled by /admin/edit-admin.php. Public references tie the issue specifically to editing the Fullname field, so the path is not broad site-wide SQLi but one named admin action. Typical tools here are Burp Suite for request interception or sqlmap if the request structure is stable enough.

Conditions required:

Admin role can access user management and profile editing
The attacker can submit the Fullname parameter to the back-end

Where this breaks in practice:

Role-based UI controls may restrict access even among authenticated users
Some installs are local-only or campus-internal rather than internet-exposed

Detection/coverage: Authenticated DAST can catch this if it logs into the app and exercises admin workflows; unauthenticated scanners usually will not.

STEP 03

Inject SQL through Fullname

The reported bug is classic SQL injection: attacker-supplied input in Fullname reaches a database query without safe parameterization. If exploitability matches the report, the attacker can alter the intended query to read or modify database content reachable by the application's DB account. sqlmap or manual payloads in Burp Repeater are the likely weaponized paths.

Conditions required:

Backend query is really unsafely concatenating Fullname
Database driver and query context permit useful payload execution

Where this breaks in practice:

The public GitHub reference linked by VulDB/NVD is an XSS note, not a clean SQLi PoC, which lowers confidence in plug-and-play weaponization
If the query is constrained, blind, or only updates one row, impact can be annoying but not transformational

Detection/coverage: WAFs may spot obvious SQL metacharacters, but many deployments of this kind of app have no WAF at all. Application and DB logs may show malformed update statements or quote-heavy payloads.

STEP 04

Turn DB access into actual impact

The maximum practical impact depends on the DB account privileges behind the PHP app. In the common case, the attacker can tamper with user records or dump student/admin data; in a worse case, overly privileged DB accounts can expand the blast radius. But because the attacker is already a privileged app user, the incremental gain is narrower than CVSS impact labels suggest.

Conditions required:

The application's database account has meaningful read/write rights
Sensitive records are stored in the same database

Where this breaks in practice:

This usually stays inside one app/database boundary rather than becoming domain-wide compromise
EDR, NGFW, or email tooling do not matter here; the main control is simply not letting attackers reach authenticated admin workflows

Detection/coverage: Look for privileged sessions followed by unusual profile edits, bulk row changes, or DB query anomalies. Most exposure management platforms will have weak product fingerprinting for this exact app.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No credible active exploitation evidence located. I found public disclosure and a reference to an exploit being available, but no KEV entry, no campaign reporting, and no public incident reporting tied to this CVE.
KEV status	Not KEV-listed. CISA's Known Exploited Vulnerabilities Catalog does not list `CVE-2024-1928`.
Proof-of-concept availability	Weak / noisy. VulDB and NVD reference a GitHub file by `xiahao90`, but the linked write-up is labeled XSS and shows editing `Fullname` with `<script>alert(1)</script>`, not a clean SQLi exploit. That mismatch lowers confidence in mature weaponization.
EPSS	0.0007 with low percentile context reported by public CVE mirrors; that is consistent with a bug that is technically real but operationally unattractive.
CVSS disagreement	CNA/VulDB: 4.7 MEDIUM with `AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L`; NVD later enriched it to 7.2 HIGH with `C:H/I:H/A:H`. I do not buy the NVD uplift because the attacker still needs high-privilege app access.
Affected versions	SourceCodester Web-Based Student Clearance System 1.0 only, specifically `/admin/edit-admin.php` and the `Fullname` argument in the edit profile flow.
Fixed version	No authoritative fixed release found. SourceCodester still appears to offer the same `1.0` package, and I found no vendor advisory naming a patched version or backport.
Exposure / reachability	Reachability is naturally narrow. This is a niche PHP project distributed on SourceCodester for academic use; the public project page shows limited ecosystem scale compared with mainstream enterprise software, and public internet scanners do not appear to fingerprint this app reliably.
Disclosure timeline	VulDB/CVE publication traces place disclosure on 2024-02-27 to 2024-02-29 depending on source formatting; NVD shows publication on 2024-02-28 and later modification on 2024-12-18.
Researcher / source	The CVE was assigned through VulDB. The linked public reference names `[email protected]` as exploit author for the associated write-up.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (2.9/10)

The single biggest reason this lands in LOW is that exploitation requires high-privilege authenticated access to an admin workflow, which means the attacker is already well past the hard part. This is a real bug, but it is not a practical initial-access path and its blast radius is usually confined to one niche application and its database.

HIGH Prerequisite analysis: this is post-auth admin-path exposure

MEDIUM Technical impact once triggered: likely DB read/write, but evidence quality is thin

HIGH Threat prioritization: no KEV and very low EPSS support de-prioritization

Why this verdict

Down from the vendor/NVD noise: the reachable population is narrow because the attacker must reach an authenticated admin-only page, not a public endpoint.
Post-initial-access penalty: PR:H means the exploit assumes stolen admin credentials, an insider, or a chained earlier compromise; every one of those is compounding downward pressure on severity.
Low enterprise prevalence: this is SourceCodester hobbyware/academic PHP, not a broadly deployed business platform, so the fleet-level blast radius is small even if the code is vulnerable.

Why not higher?

I am not scoring this higher because there is no strong evidence of active exploitation, no KEV listing, and no sign of a turnkey SQLi PoC that defenders should expect to be mass-used tomorrow. Most importantly, the attacker already needs privileged app access, which strips away the main thing that makes SQL injection urgent in the real world: cheap unauthenticated reach.

Why not lower?

I am not dropping this to IGNORE because authenticated SQL injection is still a trust-boundary failure and can let a malicious admin session bypass application logic to read or tamper with backend data. If you actually run this app, especially internet-exposed, it still deserves cleanup and compensating controls even if it is not an emergency.

05 · Compensating Control

What to do — in priority order.

Put /admin behind identity controls — Require VPN, SSO, and MFA for the admin path so the main exploit prerequisite stays hard. For a LOW verdict there is no noisgate mitigation SLA; treat this as backlog hygiene, but do it during the next normal access-control hardening cycle.
Restrict source IPs to admin pages — Allow only campus IT, helpdesk jump hosts, or management subnets to reach /admin/*. That sharply reduces who can even attempt the vulnerable workflow; for LOW, there is no formal mitigation deadline, so roll this into routine perimeter cleanup.
Watch for edits to edit-admin.php workflows — Add web log monitoring for unusual POSTs to /admin/edit-admin.php, especially quote-heavy or SQL-metacharacter-laden Fullname values. For LOW, implement as part of normal detection engineering rather than a break-fix sprint.
Plan replacement or code remediation — Because no authoritative patched release is visible, the durable fix is local code repair: parameterized queries, least-privilege DB credentials, and possibly retiring this app entirely. For LOW, schedule this as backlog maintenance instead of emergency patching.

What doesn't work

A generic endpoint EDR agent on the web server will not reliably stop an authenticated SQLi request before the database query runs.
Password rotation alone is not enough if the app remains broadly reachable and admins can still be phished or their sessions stolen.
A network vulnerability scan without authenticated crawling usually will not reach the admin-only form and may falsely reassure you.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux/PHP web host or a mounted container image, not from an auditor workstation. Invoke it as sudo bash verify-cve-2024-1928.sh /var/www or point it at your web root; root is helpful for reading all app files but not strictly required if permissions are open enough.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# verify-cve-2024-1928.sh
# Detect likely presence of SourceCodester Web-Based Student Clearance System 1.0
# affected by CVE-2024-1928.
#
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / usage error
#
# Notes:
# - No authoritative fixed upstream version was found during research.
# - If the app fingerprint is found, this script reports VULNERABLE.
# - If nothing matches, it reports UNKNOWN rather than claiming safety.

set -euo pipefail

ROOT="${1:-/var/www}"

if [[ ! -d "$ROOT" ]]; then
  echo "UNKNOWN - path not found: $ROOT"
  exit 2
fi

found=0

while IFS= read -r -d '' f; do
  dir="$(dirname "$f")"
  parent="$(dirname "$dir")"

  # Heuristics for this specific app family
  login_php="$dir/login.php"
  app_root="$parent"

  indicator_score=0

  if grep -Rqs "student_clearance_system_Aurthur_Javis" "$app_root" 2>/dev/null; then
    indicator_score=$((indicator_score+1))
  fi

  if grep -Rqs "student_clearance" "$app_root" 2>/dev/null; then
    indicator_score=$((indicator_score+1))
  fi

  if [[ -f "$login_php" ]] && grep -qs "admin" "$login_php"; then
    indicator_score=$((indicator_score+1))
  fi

  # Direct CVE path match
  if [[ "$f" == */admin/edit-admin.php ]]; then
    indicator_score=$((indicator_score+1))
  fi

  if (( indicator_score >= 2 )); then
    echo "VULNERABLE - probable SourceCodester Web-Based Student Clearance System instance found at: $app_root"
    found=1
  fi
done < <(find "$ROOT" -type f -name 'edit-admin.php' -path '*/admin/*' -print0 2>/dev/null)

if (( found == 1 )); then
  exit 1
fi

echo "UNKNOWN - no authoritative fixed version is known, and no matching app fingerprint was found under: $ROOT"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: do not treat this like an emergency patch wave. First, identify whether this niche PHP app exists anywhere in your estate and whether /admin is internet-reachable; if it does, restrict admin access and document ownership during normal backlog work. Because this is LOW, the noisgate mitigation SLA is no SLA (treat as backlog hygiene) and there is likewise no urgent patch clock; if you keep the app, schedule code remediation or platform retirement as ordinary maintenance rather than an out-of-band response.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.