CVE-2023-26780 in yf-examinfo

Summary

by MITRE • 03/02/2023

CleverStupidDog yf-exam v 1.8.0 is vulnerable to SQL Injection.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 11/11/2025

The CleverStupidDog yf-exam application version 1.8.0 presents a critical security vulnerability through SQL injection flaws that can be exploited by malicious actors to gain unauthorized access to the underlying database system. This vulnerability specifically affects the application's handling of user inputs within database queries, creating opportunities for attackers to manipulate SQL command execution through crafted input parameters. The flaw exists in the application's backend processing logic where user-supplied data is directly incorporated into SQL statements without proper sanitization or parameterization mechanisms.

This SQL injection vulnerability falls under the Common Weakness Enumeration category CWE-89, which specifically addresses improper neutralization of special elements used in SQL commands. The attack vector typically occurs when the application fails to validate or escape user inputs before incorporating them into database queries, allowing attackers to inject malicious SQL code that can be executed with the privileges of the database user. The vulnerability is particularly concerning because it can enable attackers to extract sensitive data, modify database contents, or potentially escalate privileges within the system.

The operational impact of this vulnerability extends beyond simple data theft, as successful exploitation can lead to complete system compromise and unauthorized access to all database contents. Attackers can leverage this vulnerability to perform unauthorized data manipulation, including data deletion, modification, or unauthorized access to sensitive information such as user credentials, personal data, or system configuration details. The vulnerability affects the application's integrity and confidentiality, potentially leading to business disruption, regulatory compliance violations, and significant financial consequences. Organizations using this vulnerable version may face increased risk of data breaches and reputational damage.

Mitigation strategies should focus on implementing proper input validation and parameterized queries to prevent malicious SQL code execution. Organizations must immediately update to the latest version of the yf-exam application where the SQL injection vulnerability has been patched. Additionally, implementing web application firewalls, database activity monitoring, and regular security testing can help detect and prevent exploitation attempts. The remediation process should include thorough code review to ensure all database query interfaces properly sanitize user inputs and implement proper error handling to prevent information leakage. Security teams should also conduct comprehensive vulnerability assessments to identify similar issues in other applications within the organization's infrastructure, as SQL injection remains one of the most prevalent and dangerous web application security flaws.

Reservation

02/27/2023

Disclosure

03/02/2023

Moderation

accepted

CPE

ready

EPSS

0.00780

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!