Online Voting System Project v1.0 - SQLi
Summary
Name | Online Voting System Project v1.0 - Multiple Unauthenticated SQL Injections (SQLi) |
Code name | Yo-Yo Ma |
Product | Online Voting System Project |
Vendor | Projectworlds Pvt. Limited |
Affected versions | Version 1.0 |
State | Public |
Release date | 2023-12-07 |
Vulnerabilities
Kind | Unauthenticated SQL Injections (SQLi) |
Rule | 146. SQL Injection |
Remote | Yes |
CVSSv3 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVSSv3 Base Score | 9.8 |
Exploit available | Yes |
CVE ID(s) | CVE-2023-48433, CVE-2023-48434 |
Description
Online Voting System Project v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.
Vulnerabilities
CVE-2023-48433
The 'username' parameter of the login_action.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:
$sql = mysqli_query($con, 'SELECT * FROM loginusers WHERE username="'.$_POST['username'].'" AND password="'.md5($_POST['password']).'" AND status="ACTIVE" ' );
CVE-2023-48434
The 'username' parameter of the reg_action.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:
$sq = mysqli_query($con, 'SELECT username FROM loginusers WHERE username="'.$_POST['username'].'"');
Our security policy
We have reserved the IDs CVE-2023-48433 and CVE-2023-48434 to refer to these issues from now on.
System Information
- Version: Online Voting System Project v1.0
- Operating System: Any
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.
References
Vendor page https://projectworlds.in/
Timeline
2023-11-16
Vulnerability discovered.
2023-11-16
Vendor contacted.
2023-12-07
Public Disclosure.