SourceCodester Online Exam System data sql injection
CVE-2023-2770

8.8HIGH

Key Information:

Vendor
SourceCodester
Status
Online Exam System
Vendor
CVE Published:
17 May 2023

Summary

An SQL injection vulnerability exists in SourceCodester's Online Exam System 1.0, specifically within the /kelasdosen/data file. Malicious actors can exploit this flaw by manipulating the argument columns[1][data], allowing for unauthorized access to the underlying database. This manipulation can be performed remotely, making it a significant security concern. The potential for data leakage or corruption is high, as attackers can execute arbitrary SQL queries. Awareness of this vulnerability is crucial as its details have been made public, increasing the risk of exploitation.

Affected Version(s)

Online Exam System 1.0

References

https://vuldb.com/?id.229276
vdb-entrytechnical-description
https://vuldb.com/?ctiid.229276
signaturepermissions-required
https://github.com/tht1997/CVE_2023/blob/main/online_exam...
exploit

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

huutuanbg97 (VulDB User)
.