Online Examination System v1.0 - Multiple Authenticated SQL Injections (SQLi)
CVE-2023-45116

8.8HIGH

Key Information:

Vendor

Projectworlds Pvt. Limited

Status
Online Examination System
Vendor
CVE Published:
21 December 2023

What is CVE-2023-45116?

The Online Examination System version 1.0 contains multiple vulnerabilities that allow for Authenticated SQL Injection via the 'demail' parameter in the /update.php endpoint. The application fails to validate the incoming data, allowing potentially malicious characters to bypass filtering and be executed in SQL queries. This can lead to unauthorized data access, data manipulation, or even full administrative control of the database.

Affected Version(s)

Online Examination System 1.0

References

https://fluidattacks.com/advisories/argerich/
third-party-advisory
https://projectworlds.in/
product

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2023-45116 : Online Examination System v1.0 - Multiple Authenticated SQL Injections (SQLi)