CVE-2024-28595

CRITICAL

Employee Management System v1.0 - SQL Injection via admin_id Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-28595. PoCs published by Shubham Pandey, shubham-s-pandey.

AI-analyzed exploit summary This exploit demonstrates a time-based SQL injection vulnerability in Employee Management System v1.0 via the 'admin_id' parameter in update-admin.php. The PoC uses a SLEEP function to confirm the vulnerability by delaying the page load.

Description

SQL Injection vulnerability in Employee Management System v1.0 allows attackers to run arbitrary SQL commands via the admin_id parameter in update-admin.php.

Exploits (2)

exploitdb WORKING POC

by Shubham Pandey · textwebappsphp

https://www.exploit-db.com/exploits/51911

View Code ZIP pw:eip

This exploit demonstrates a time-based SQL injection vulnerability in Employee Management System v1.0 via the 'admin_id' parameter in update-admin.php. The PoC uses a SLEEP function to confirm the vulnerability by delaying the page load.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Employee Management System v1.0

Auth required

Prerequisites: Access to the target application · Valid login credentials

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WRITEUP 1 stars

by shubham-s-pandey · poc

https://github.com/shubham-s-pandey/CVE_POC/tree/main/CVE-2024-28595.md

View Code ZIP pw:eip

The repository contains detailed technical writeups for multiple CVEs, including CVE-2024-28595, describing SQL injection and XSS vulnerabilities in specific software versions. Each writeup includes attack vectors, affected components, and proof-of-concept steps.

Classification

Writeup 100%

Attack Type

Sqli | Xss

Complexity

Trivial

Reliability

Reliable

Target: Petrol Pump Management Software v1.0, Employee Management System v1.0

Auth required

Prerequisites: access to the vulnerable application · valid credentials for authentication

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://github.com/shubham-s-pandey/CVE_POC/blob/main/CVE-2024-28595.md

View Exploit ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0133

EPSS Percentile 80.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-89

Status published

Products (1)

walterjnr1/employee_management_system 1.0

Published Mar 19, 2024

Tracked Since Feb 18, 2026