CVE-2024-48245

High

Published: 07 January 2025

Published

07 January 2025

Modified

14 May 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0338 87.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48245 is a high-severity SQL Injection (CWE-89) vulnerability in Janobe Vehicle Management System. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of all inputs including vulnerable POST parameters like Booking ID and Action Name to block malicious SQL payloads before database execution.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of flaws such as the SQL injection vulnerability in /newvehicle.php and /newdriver.php to eliminate the root cause.

SI-9 Information Input Restrictions partial match

prevent

SI-9 restricts types and quantities of input at web interfaces, limiting the scope for SQL injection exploitation via oversized or malformed POST parameters.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web app (/newvehicle.php, /newdriver.php) enables exploitation of public-facing application (T1190), data exfiltration from databases via arbitrary SQL queries (T1213.006), and privilege escalation through unauthorized access or manipulation.

NVD Description

Vehicle Management System 1.0 is vulnerable to SQL Injection. A guest user can exploit vulnerable POST parameters in various administrative actions, such as booking a vehicle or confirming a booking. The affected parameters include "Booking ID", "Action Name", and "Payment…

Confirmation ID", which are present in /newvehicle.php and /newdriver.php.

Deeper analysisAI

Vehicle Management System 1.0 is vulnerable to SQL injection (CWE-89) through unsanitized POST parameters in administrative actions, including booking a vehicle or confirming a booking. The affected parameters—"Booking ID", "Action Name", and "Payment Confirmation ID"—appear in the files /newvehicle.php and /newdriver.php. This flaw has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high-impact potential over the network with low complexity, though requiring high privileges.

A guest user can exploit the vulnerability by submitting malicious payloads to the vulnerable POST parameters during actions like vehicle booking or payment confirmation. Successful exploitation enables arbitrary SQL query execution, potentially allowing attackers to extract sensitive data, modify database records, or disrupt system availability, aligning with the high confidentiality, integrity, and availability impacts in the CVSS score.

Mitigation details are available in advisories at http://vehicle.com and https://github.com/ShadowByte1/CVE-2024-48245, published on 2025-01-07.