CVE-2023-1153 in Pacsrapor
Summary
by MITRE • 03/21/2023
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pacsrapor allows SQL Injection, Command Line Execution through SQL Injection.
This issue affects Pacsrapor: before 1.22.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/01/2026
The vulnerability identified as CVE-2023-1153 represents a critical SQL injection flaw in the Pacsrapor software application, specifically impacting versions prior to 1.22. This vulnerability falls under the Common Weakness Enumeration category CWE-89, which defines SQL injection as the insertion of malicious SQL code into input fields for execution by a database management system. The flaw manifests when the application fails to properly sanitize user inputs before incorporating them into SQL commands, creating an avenue for attackers to manipulate database queries through specially crafted inputs.
The technical exploitation of this vulnerability enables attackers to perform unauthorized database operations by injecting malicious SQL payloads into input parameters. The flaw extends beyond simple data extraction to include command line execution capabilities, meaning that successful exploitation could allow attackers to execute arbitrary commands on the underlying operating system. This escalation occurs because the application's insufficient input validation allows malicious SQL code to bypass security controls and directly interface with the database engine, which may then propagate to the host operating system through database management system features or stored procedures.
The operational impact of this vulnerability is severe and multifaceted, as it provides attackers with potential access to sensitive data, system compromise, and unauthorized administrative privileges. The vulnerability's presence in Pacsrapor creates opportunities for attackers to extract confidential information, modify database contents, or even gain full system control through command execution capabilities. This risk is particularly concerning given that the vulnerability affects all versions before 1.22, suggesting that a significant portion of users may be exposed to this threat without realizing the potential consequences of malicious SQL injection attacks.
Security professionals should consider this vulnerability in the context of the MITRE ATT&CK framework, specifically mapping it to techniques involving command and control communications, credential access, and privilege escalation. The attack surface expands significantly when considering that SQL injection can be leveraged to establish persistent access through database backdoors, data exfiltration, or lateral movement within network environments where database systems are prevalent. Organizations utilizing Pacsrapor should prioritize immediate patching to version 1.22 or later, implementing proper input validation, parameterized queries, and comprehensive database access controls to mitigate the risk of exploitation. Additional defensive measures should include network monitoring for suspicious SQL injection patterns, database activity logging, and regular security assessments to identify potential exploitation attempts against this and similar vulnerabilities.