CVE-2024-57430

CriticalPublic PoC

Published: 06 February 2025

Published

06 February 2025

Modified

24 June 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0091 76.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57430 is a critical-severity SQL Injection (CWE-89) vulnerability in Phpjabbers Cinema Booking System. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 24.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by validating and sanitizing the 'column' parameter before it is used in database queries.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of the SQL injection flaw in the pjActionGetUser function to eliminate the vulnerability.

SI-9 Information Input Restrictions good match

prevent

Restricts the 'column' parameter to authorized values and formats, blocking malicious SQL injection payloads.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application enables exploitation (T1190), privilege escalation via vuln (T1068), unauthorized database access/disclosure (T1213.006), and database manipulation (T1565.001).

NVD Description

An SQL injection vulnerability in the pjActionGetUser function of PHPJabbers Cinema Booking System v2.0 allows attackers to manipulate database queries via the column parameter. Exploiting this flaw can lead to unauthorized information disclosure, privilege escalation, or database manipulation.

Deeper analysisAI

CVE-2024-57430 is an SQL injection vulnerability (CWE-89) affecting the pjActionGetUser function in PHPJabbers Cinema Booking System version 2.0. The flaw allows attackers to manipulate database queries by injecting malicious input through the column parameter, potentially compromising the integrity and confidentiality of the underlying database.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the vulnerability is highly severe and remotely exploitable over the network with low complexity, requiring no authentication, privileges, or user interaction. Any unauthenticated attacker can leverage this to achieve unauthorized information disclosure, privilege escalation, or full database manipulation.

Advisories and additional details are available in the referenced GitHub repository at https://github.com/ahrixia/CVE-2024-57430, which likely includes proof-of-concept information, and the vendor's product page at https://www.phpjabbers.com/cinema-booking-system/. Practitioners should consult these sources for any patch availability or mitigation guidance.