CVE-2025-8237: Critical SQL Injection Vulnerability in Exam Form Submission 1.0

A critical security vulnerability, identified as CVE-2025-8237, has been discovered in code-projects Exam Form Submission version 1.0. This flaw allows remote attackers to inject arbitrary SQL commands, potentially leading to complete system compromise.

Vulnerability Details

CVE ID: CVE-2025-8237
Description: A SQL injection vulnerability exists in the /admin/update_s1.php file of Exam Form Submission 1.0. By manipulating the credits parameter, an attacker can execute arbitrary SQL commands on the underlying database.
CVSS Score: 7.3 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS Explanation: This vulnerability is remotely exploitable (AV:N) with low complexity (AC:L) and requires no privileges (PR:N) or user interaction (UI:N). It has a moderate impact on confidentiality (C:L), integrity (I:L), and availability (A:L).
Exploit Requirements: No authentication is required. The attacker needs to send a crafted HTTP request to the vulnerable endpoint.
Affected Vendor: code-projects
Affected Product: Exam Form Submission
Affected Version: 1.0
CWE: CWE-89 (SQL Injection) - This common weakness occurs when an application incorporates untrusted data into an SQL query without proper sanitization or escaping. This allows attackers to modify the query's structure and execute malicious commands.

Timeline of Events

2025-07-27: Vulnerability reported.
2025-07-27: CVE ID assigned.
2025-07-27: Proof-of-concept exploit publicly disclosed.

Exploitability & Real-World Risk

Due to the ease of exploitation (no authentication required) and the availability of a public exploit, the risk of this vulnerability being exploited in the wild is high. An attacker could potentially:

Extract sensitive data from the database (e.g., user credentials, exam results).
Modify data in the database (e.g., alter exam scores, create administrator accounts).
Potentially gain control of the underlying server, depending on database permissions.

Given the purpose of the application (Exam Form Submission), successful exploitation could severely compromise the integrity of the examination process and expose sensitive student data.

Recommendations

Apply Patch: Upgrade to a patched version of Exam Form Submission if available. Contact the vendor for updates.
Input Sanitization: Implement proper input sanitization and validation for all user-supplied data, especially the credits parameter.
Parameterized Queries: Use parameterized queries or prepared statements to prevent SQL injection.
Web Application Firewall (WAF): Deploy a WAF to detect and block malicious requests.
Least Privilege: Ensure the database user used by the application has only the necessary privileges.

Technical Insight

The vulnerability lies in the lack of proper sanitization of the credits parameter in the /admin/update_s1.php script. This allows an attacker to inject malicious SQL code directly into the database query. For example, an attacker could inject a payload like ' OR '1'='1 to bypass authentication or modify data.

Credit to Researcher(s)

This vulnerability was discovered by an anonymous researcher and reported via VulDB.

CVE-2025-8237: Critical SQL Injection Vulnerability in Exam Form Submission 1.0

CVE-2025-8237: Critical SQL Injection Vulnerability in Exam Form Submission 1.0

Vulnerability Details

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form