Cyber Posture

CVE-2024-57328

CriticalPublic PoC

Published: 23 January 2025

Published
23 January 2025
Modified
29 January 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57328 is a critical-severity SQL Injection (CWE-89) vulnerability in Projectworlds Online Food Ordering System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 directly prevents SQL injection in the login form by requiring validation and sanitization of username and password inputs before processing database queries.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely remediation of the specific SQL injection flaw in the login form to eliminate the vulnerability.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

RA-5 vulnerability scanning detects SQL injection vulnerabilities like CVE-2024-57328 in the login form for subsequent remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

SQL injection in the public-facing login form enables exploitation of a public-facing application to bypass authentication and gain unauthorized access.

NVD Description

A SQL Injection vulnerability exists in the login form of Online Food Ordering System v1.0. The vulnerability arises because the input fields username and password are not properly sanitized, allowing attackers to inject malicious SQL queries to bypass authentication and…

more

gain unauthorized access.

Deeper analysisAI

CVE-2024-57328 is a SQL injection vulnerability (CWE-89) affecting the login form in Online Food Ordering System version 1.0. The issue stems from improper sanitization of the username and password input fields, which allows attackers to inject malicious SQL queries directly into the backend database operations.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by any unauthenticated attacker with low attack complexity and no requirement for user interaction. Successful exploitation enables attackers to bypass authentication mechanisms and gain unauthorized access to the system, potentially leading to high-impact compromise of confidentiality, integrity, and availability.

The provided reference points to a GitHub repository at https://github.com/fatihtuzunn/CVEs/tree/main/CVE-2024-57328, which documents the vulnerability but does not specify mitigation steps or available patches in the given details.

Details

CWE(s)
CWE-89

Affected Products

projectworlds
online food ordering system
1.0

CVEs Like This One

CVE-2026-2136Same product: Projectworlds Online Food Ordering System
CVE-2026-3406Same vendor: Projectworlds
CVE-2026-3759Same vendor: Projectworlds
CVE-2026-3758Same vendor: Projectworlds
CVE-2026-5368Same vendor: Projectworlds
CVE-2026-3757Same vendor: Projectworlds
CVE-2025-70146Same vendor: Projectworlds
CVE-2025-2657Same vendor: Projectworlds
CVE-2025-2661Same vendor: Projectworlds
CVE-2025-2662Same vendor: Projectworlds

References