CVE-2025-8238: SQL Injection Vulnerability in Exam Form Submission 1.0

A critical security vulnerability has been identified in Exam Form Submission 1.0, potentially allowing attackers to execute arbitrary SQL commands. This vulnerability poses a significant risk to systems running this software.

Vulnerability Details

CVE ID: CVE-2025-8238
Description: A SQL injection vulnerability exists in Exam Form Submission 1.0 within the `/admin/update_s2.php` file. By manipulating the `credits` argument, a remote attacker can inject arbitrary SQL code, potentially leading to unauthorized data access, modification, or even complete system compromise.
CVSS Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS Explanation: This vulnerability has a high CVSS score because it can be exploited remotely without any privileges or user interaction. The impact is limited to low confidentiality, integrity, and availability, meaning an attacker could read some data, modify some data, or cause a minor disruption of service.
Exploit Requirements: No authentication is required. The attacker needs to send a crafted HTTP request to the vulnerable endpoint. A proof-of-concept exploit is publicly available, increasing the risk of exploitation.
Affected Vendor: code-projects
Affected Product: Exam Form Submission
Affected Version: 1.0
CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') and CWE-74 - Improper Neutralization of Special Elements used in an Output Argument ('Injection')
CWE Explanation: This vulnerability occurs because the application fails to properly sanitize user-supplied input before using it in an SQL query. This allows an attacker to inject malicious SQL code that is then executed by the database.

Timeline of Events

2025-07-27: CVE ID assigned and vulnerability reported.
[Date Unknown]: Public exploit disclosed.

Exploitability & Real-World Risk

The existence of a publicly available exploit significantly increases the risk associated with this vulnerability. Attackers can easily leverage this exploit to compromise vulnerable Exam Form Submission 1.0 installations. If this application is used to manage sensitive student or exam data, a successful attack could lead to data breaches, academic fraud, or other serious consequences. The vulnerable software is likely used by educational institutions, making them a prime target.

Recommendations

Apply Patch: Upgrade to a patched version of Exam Form Submission, if available. Check the vendor's website for updates.
Input Validation: Implement robust input validation on all user-supplied data, especially the `credits` parameter in the `/admin/update_s2.php` file. Use parameterized queries or prepared statements to prevent SQL injection.
Web Application Firewall (WAF): Deploy a WAF to detect and block malicious SQL injection attempts.
Database Permissions: Limit database user permissions to the minimum required for the application to function.

Technical Insight

The vulnerability lies in the insufficient sanitization of the `credits` parameter. When user input is directly incorporated into an SQL query without proper escaping or parameterization, an attacker can inject malicious SQL code that alters the query's intended behavior. For example, an attacker might inject code to bypass authentication, retrieve sensitive data, or even execute arbitrary commands on the database server.

Credit to Researcher(s)

The vulnerability was reported via VulDB.

CVE-2025-8238: SQL Injection Vulnerability in Exam Form Submission 1.0

CVE-2025-8238: SQL Injection Vulnerability in Exam Form Submission 1.0

Vulnerability Details

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form