Cyber Resilience

CVE-2024-57328

CriticalPublic PoC

Published: 23 January 2025

Published
23 January 2025
Modified
29 January 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57328 is a critical-severity SQL Injection (CWE-89) vulnerability in Projectworlds Online Food Ordering System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-57328 is a SQL injection vulnerability (CWE-89) affecting the login form in Online Food Ordering System version 1.0. The issue stems from improper sanitization of the username and password input fields, which allows attackers to inject malicious SQL queries directly into the backend database operations.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by any unauthenticated attacker with low attack complexity and no requirement for user interaction. Successful exploitation enables attackers to bypass authentication mechanisms and gain unauthorized access to the system, potentially leading to high-impact compromise of confidentiality, integrity, and availability.

The provided reference points to a GitHub repository at https://github.com/fatihtuzunn/CVEs/tree/main/CVE-2024-57328, which documents the vulnerability but does not specify mitigation steps or available patches in the given details.

EU & UK References

Vulnerability details

A SQL Injection vulnerability exists in the login form of Online Food Ordering System v1.0. The vulnerability arises because the input fields username and password are not properly sanitized, allowing attackers to inject malicious SQL queries to bypass authentication and…

more

gain unauthorized access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in the public-facing login form enables exploitation of a public-facing application to bypass authentication and gain unauthorized access.

CVEs Like This One

CVE-2026-2136Same product: Projectworlds Online Food Ordering System
CVE-2026-3406Same vendor: Projectworlds
CVE-2026-5368Same vendor: Projectworlds
CVE-2026-3757Same vendor: Projectworlds
CVE-2026-3759Same vendor: Projectworlds
CVE-2026-3758Same vendor: Projectworlds
CVE-2025-1962Same vendor: Projectworlds
CVE-2025-2067Same vendor: Projectworlds
CVE-2025-2659Same vendor: Projectworlds
CVE-2025-1965Same vendor: Projectworlds

Affected Assets

projectworlds
online food ordering system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents SQL injection in the login form by requiring validation and sanitization of username and password inputs before processing database queries.

prevent

SI-2 ensures timely remediation of the specific SQL injection flaw in the login form to eliminate the vulnerability.

detect

RA-5 vulnerability scanning detects SQL injection vulnerabilities like CVE-2024-57328 in the login form for subsequent remediation.

References