CVE-2023-5155 in SoliPay Mobile Appinfo

Summary

by MITRE • 02/15/2024

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Utarit Information Technologies SoliPay Mobile App allows SQL Injection.

This issue affects SoliPay Mobile App: before 5.0.8.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/20/2026

The vulnerability identified as CVE-2023-5155 represents a critical SQL injection flaw within the Utarit Information Technologies SoliPay Mobile Application, specifically impacting versions prior to 5.0.8. This security weakness resides in the application's improper handling of special elements within SQL commands, creating an avenue for malicious actors to execute unauthorized database operations. The vulnerability manifests when user input containing SQL metacharacters is directly incorporated into database queries without adequate sanitization or parameterization, allowing attackers to manipulate the intended query structure and potentially gain unauthorized access to sensitive data.

The technical implementation of this vulnerability stems from the application's failure to properly neutralize special SQL characters and control sequences within user-provided input fields. When the mobile application processes user credentials, transaction data, or other input parameters, it fails to employ proper input validation or parameterized query mechanisms. This flaw aligns with CWE-89 which specifically addresses improper neutralization of special elements used in SQL commands, making it a classic example of SQL injection vulnerability. The vulnerability occurs at the application layer where user input flows directly into database execution contexts without adequate security controls to prevent command injection.

From an operational standpoint, this vulnerability presents significant risks to both the application and its users. Attackers could exploit this weakness to extract sensitive information such as user credentials, personal identification details, financial records, and transaction histories stored within the application's database. The impact extends beyond simple data theft to potentially enabling complete database compromise, allowing malicious actors to modify or delete critical information. This vulnerability particularly affects mobile applications where users may store sensitive financial data, making the potential attack surface highly valuable to threat actors. The risk is compounded by the mobile nature of the application, which may expose users to additional attack vectors through compromised devices.

The mitigation strategy for CVE-2023-5155 requires immediate implementation of parameterized queries or prepared statements throughout the application codebase, ensuring that all user input is properly escaped or parameterized before database interaction. Organizations should implement comprehensive input validation mechanisms that filter or sanitize all user-provided data before processing, utilizing established security libraries and frameworks that provide built-in protection against SQL injection attacks. The remediation process must include thorough code review and security testing to identify all potential injection points within the application, particularly focusing on database interaction routines and user input handling components. Additionally, implementing proper access controls and database permissions can limit the potential impact of successful exploitation attempts. The solution aligns with ATT&CK technique T1071.004 which involves application layer protocol manipulation, and specifically addresses the need for secure coding practices as outlined in the OWASP Top Ten security framework. Organizations should also establish continuous monitoring and regular security assessments to prevent similar vulnerabilities from emerging in future application versions.

Reservation

09/25/2023

Disclosure

02/15/2024

Moderation

accepted

CPE

ready

EPSS

0.00519

KEV

no

Activities

low

Sources

Interested in the pricing of exploits?

See the underground prices here!