SourceCodester Online Exam System POST Parameter data sql injection
CVE-2023-2693

9.8CRITICAL

Key Information:

Vendor
SourceCodester
Status
Online Exam System
Vendor
CVE Published:
14 May 2023

Summary

A SQL injection vulnerability has been identified in the SourceCodester Online Exam System 1.0, specifically within the POST Parameter Handler of the file /mahasiswa/data. The vulnerability occurs due to improper handling of the argument columns[1][data], allowing attackers to manipulate SQL queries. This exploitation can be executed remotely, leading to unauthorized access and potential data breaches. Public disclosure of the exploit raises concerns about widespread malicious use. Immediate attention to secure the affected component is essential to prevent potential exploitation.

Affected Version(s)

Online Exam System 1.0

References

https://vuldb.com/?id.228974
vdb-entrytechnical-description
https://vuldb.com/?ctiid.228974
signaturepermissions-required
https://github.com/tht1997/CVE_2023/blob/main/Lost%20and%...
exploit

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

huutuanbg97 (VulDB User)
.