CVE-2024-48245

Name of the Vulnerable Software and Affected Versions Vehicle Management System versions 1.0 through 1.3

Description The issue concerns a SQL injection vulnerability. A guest user can exploit vulnerable POST parameters in various administrative actions, such as booking a vehicle or confirming a booking. The affected parameters include Booking ID, Action Name, and Payment Confirmation ID, which are present in "/newvehicle.php" and "/newdriver.php".

Recommendations For Vehicle Management System versions 1.0 through 1.3, consider disabling the vulnerable parameters Booking ID, Action Name, and Payment Confirmation ID in the affected API endpoints "/newvehicle.php" and "/newdriver.php" until a patch is available. Restrict access to these endpoints to minimize the risk of exploitation. Avoid using the vulnerable parameters in administrative actions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.