CVE-2023-33665 in aitableinfo

Summary

by MITRE • 08/04/2023

ai-dev aitable before v0.2.2 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 01/05/2026

The vulnerability identified as CVE-2023-33665 affects the ai-dev aitable plugin version prior to v0.2.2, specifically exposing a SQL injection flaw within the /includes/ajax.php component. This represents a critical security weakness that could allow unauthorized users to execute malicious SQL commands against the affected system's database. The vulnerability stems from inadequate input validation and sanitization practices within the ajax.php file, which processes asynchronous requests from the web application. The flaw occurs when user-supplied data is directly incorporated into SQL query construction without proper escaping or parameterization mechanisms, creating an avenue for attackers to manipulate database operations.

The technical implementation of this vulnerability falls under CWE-89 which specifically addresses SQL injection vulnerabilities in software applications. The attack vector exploits the lack of proper input sanitization within the ajax.php endpoint, allowing malicious actors to inject arbitrary SQL code through crafted requests. When the application processes these requests, the unsanitized input gets concatenated directly into database queries, enabling attackers to bypass authentication mechanisms, extract sensitive data, modify database records, or even execute administrative commands on the underlying database system. The vulnerability is particularly concerning as it affects a plugin component that likely handles user interactions and data processing, making it accessible through normal application usage patterns.

The operational impact of this vulnerability extends beyond simple data compromise, as it can lead to complete system takeover and unauthorized access to sensitive information. Attackers leveraging this vulnerability could potentially access user credentials, personal data, configuration settings, and other confidential information stored within the database. The exposure of the /includes/ajax.php component suggests that the vulnerability might be accessible through web-based interfaces, making it particularly dangerous as it could be exploited by remote attackers without requiring physical access to the system. This type of vulnerability aligns with ATT&CK technique T1190 which covers exploitation of remote services, and T1071.004 which covers application layer protocol usage for command and control communications.

Mitigation strategies for CVE-2023-33665 should prioritize immediate patching of the ai-dev aitable plugin to version 0.2.2 or later, which contains the necessary fixes for the SQL injection vulnerability. Organizations should implement proper input validation and sanitization measures, ensuring all user-supplied data is properly escaped before being incorporated into database queries. The implementation of prepared statements or parameterized queries should be enforced throughout the application codebase to prevent similar vulnerabilities from occurring. Additionally, network segmentation and access controls should be implemented to limit exposure of the vulnerable component, while comprehensive logging and monitoring should be deployed to detect potential exploitation attempts. Regular security assessments and penetration testing should be conducted to identify and remediate similar vulnerabilities in other components of the system architecture.

Reservation

05/22/2023

Disclosure

08/04/2023

Moderation

accepted

CPE

ready

EPSS

0.00519

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!