CVE-2023-33584: CVE/CVE-2023-33584/CVE-2023-33584.txt at main · sudovivek/CVE

> [Suggested Description]

>

> Enrollment System Project V1.0, developed by Sourcecodester, has been found to be vulnerable to SQL Injection (SQLI) attacks.

> This vulnerability allows an attacker to manipulate the SQL queries executed by the application.

> The system fails to properly validate user-supplied input in the username and password fields during the login process,

> enabling an attacker to inject malicious SQL code. By exploiting this vulnerability,

> an attacker can bypass authentication and gain unauthorized access to the system.

>

> ------------------------------------------

>

> [Additional Information]

> Step To Reproduce:

>

> The following steps outline the exploitation of the SQL Injection vulnerability in Enrollment System Project V1.0:

>

> 1. Launch the Enrollment System Project V1.0 application.

>

> 2. Open the login page by accessing the URL: http://localhost/enrollment/login.php.

>

> 3. In the username and password fields, insert the following SQL Injection payload shown inside brackets to bypass authentication: {’ or 1=1 #}.

>

> 4. Click the login button to execute the SQL Injection payload.

>

>

> ------------------------------------------

>

> [Vulnerability Type]

> SQL Injection

>

> ------------------------------------------

>

> [Vendor of Product]

> https://www.sourcecodester.com

>

> ------------------------------------------

>

> [Affected Product Code Base]

> Enrollment System Project - V1.0

>

> ------------------------------------------

>

> [Attack Type]

> Remote

>

> ------------------------------------------

>

> [Impact Code execution]

> true

>

> ------------------------------------------

>

> [Reference]

> https://www.sourcecodester.com

> https://www.sourcecodester.com/php/14444/enrollment-system-project-source-code-using-phpmysql.html

>

> ------------------------------------------

>

> [Discoverer]

> Vivek Choudhary