Online Voting System Project v1.0 - SQLi

Summary

NameOnline Voting System Project v1.0 - Multiple Unauthenticated SQL Injections (SQLi)
Code nameYo-Yo Ma
ProductOnline Voting System Project
VendorProjectworlds Pvt. Limited
Affected versionsVersion 1.0
StatePublic
Release date2023-12-07

Vulnerabilities

KindUnauthenticated SQL Injections (SQLi)
Rule146. SQL Injection
RemoteYes
CVSSv3 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSSv3 Base Score9.8
Exploit availableYes
CVE ID(s)CVE-2023-48433, CVE-2023-48434

Description

Online Voting System Project v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities.

Vulnerabilities

CVE-2023-48433

The 'username' parameter of the login_action.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

$sql = mysqli_query($con, 'SELECT * FROM loginusers WHERE username="'.$_POST['username'].'"  AND password="'.md5($_POST['password']).'" AND status="ACTIVE" ' );

CVE-2023-48434

The 'username' parameter of the reg_action.php resource does not validate the characters received and they are sent unfiltered to the database. The vulnerable code is:

$sq = mysqli_query($con, 'SELECT username FROM loginusers WHERE username="'.$_POST['username'].'"');

Our security policy

We have reserved the IDs CVE-2023-48433 and CVE-2023-48434 to refer to these issues from now on.

System Information

  • Version: Online Voting System Project v1.0
  • Operating System: Any

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.

References

Vendor page https://projectworlds.in/

Timeline

Time-lapse-logo

2023-11-16

Vulnerability discovered.

Time-lapse-logo

2023-11-16

Vendor contacted.

Time-lapse-logo

2023-12-07

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.