Online Examination System v1.0 - Multiple Authenticated SQL Injections (SQLi)

Description

Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities.

Vulnerabilities

CVE-2023-45115

The 'ch' parameter of the /update.php?q=addqns resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

$ch=@$_GET['ch'];

for($i=1;$i<

CVE-2023-45116

The 'demail' parameter of the /update.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-45117

The 'eid' parameter of the /update.php?q=rmquiz resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-45118

The 'fdid' parameter of the /update.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-45119

The 'n' parameter of the /update.php?q=quiz resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-45120

The 'qid' parameter of the /update.php?q=quiz&step=2 resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

CVE-2023-45121

The 'desc' parameter of the /update.php?q=addquiz resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

Our security policy

We have reserved the IDs CVE-2023-45115, CVE-2023-45116, CVE-2023-45117, CVE-2023-45118, CVE-2023-45119, CVE-2023-45120 and CVE-2023-45121 to refer to these issues from now on.

Disclosure policy

System Information

• Version: Online Examination System v1.0

• Operating System: Any

Mitigation

There is currently no patch available for this vulnerability.

References

• Vendor page https://projectworlds.in/