SourceCodester Online Exam System POST Parameter data sql injection
CVE-2023-2696

9.8CRITICAL

Key Information:

Vendor
SourceCodester
Status
Online Exam System
Vendor
CVE Published:
14 May 2023

Summary

A vulnerability has been identified in the SourceCodester Online Exam System version 1.0, related to improper processing in the POST Parameter Handler. The flaw resides specifically in the handling of input data from the file '/matkul/data', where the manipulation of the argument 'columns[1][data]' can lead to SQL injection. This security weakness can be exploited remotely, potentially allowing attackers to gain unauthorized access to the underlying database and manipulate data at will. The public disclosure of this exploit increases the risk of attacks. It is crucial for users to evaluate their systems and apply mitigations promptly.

Affected Version(s)

Online Exam System 1.0

References

https://vuldb.com/?id.228977
vdb-entrytechnical-description
https://vuldb.com/?ctiid.228977
signaturepermissions-required
https://github.com/tht1997/CVE_2023/blob/main/Lost%20and%...
exploit

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

huutuanbg97 (VulDB User)
.