CVE-2024-13093
Published: 02 January 2025
Summary
CVE-2024-13093 is a medium-severity Injection (CWE-74) vulnerability in Code-Projects Job Recruitment. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by validating and sanitizing the manipulated 's1' argument in /_parse/_call_main_search_ajax.php before processing in database queries.
Requires identification, prioritization, and remediation of the specific SQL injection flaw in the Seeker Profile Handler component.
Enables vulnerability scanning to detect the SQL injection vulnerability in the Job Recruitment 1.0 application for timely risk-based remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (/_parse/_call_main_search_ajax.php) enables exploitation of public-facing applications (T1190) and facilitates collection of data from databases via arbitrary SQL queries (T1213.006).
NVD Description
A vulnerability, which was classified as critical, has been found in code-projects Job Recruitment 1.0. This issue affects some unknown processing of the file /_parse/_call_main_search_ajax.php of the component Seeker Profile Handler. The manipulation of the argument s1 leads to sql…
more
injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2024-13093 is a critical SQL injection vulnerability in code-projects Job Recruitment 1.0, affecting the Seeker Profile Handler component. The issue resides in the processing of the file /_parse/_call_main_search_ajax.php, where manipulation of the argument s1 enables SQL injection. It is associated with CWEs-74 and CWE-89, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption within the affected component.
Advisories and additional details are available via VulDB entries (https://vuldb.com/?ctiid.289901, https://vuldb.com/?id.289901, https://vuldb.com/?submit.472442) and the project site (https://code-projects.org/). A public exploit disclosure is hosted on GitHub (https://github.com/UnrealdDei/cve/blob/main/sql10.md) and may be used.
The vulnerability was published on 2025-01-02T09:15:18.047, with the exploit already disclosed to the public.
Details
- CWE(s)