CVE-2023-5929 in Simple Student Information Systeminfo

Summary

by MITRE • 11/02/2023

A vulnerability was found in Campcodes Simple Student Information System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/students/manage_academic.php. The manipulation of the argument id leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-244329 was assigned to this vulnerability.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 11/30/2023

The vulnerability identified as CVE-2023-5929 represents a critical sql injection flaw within the Campcodes Simple Student Information System version 1.0. This weakness resides in the administrative component of the application, specifically within the manage_academic.php file that handles student academic records. The vulnerability stems from inadequate input validation and sanitization mechanisms that fail to properly escape or filter user-supplied data before incorporating it into database queries. The attack vector is triggered through manipulation of the id parameter, which allows malicious actors to inject arbitrary sql commands into the backend database through the application's interface.

This sql injection vulnerability operates at the core of database security principles and aligns with CWE-89, which categorizes sql injection as a fundamental weakness in data validation and query construction. The exploitation of this flaw enables attackers to bypass authentication mechanisms, extract sensitive student information, modify academic records, or potentially gain unauthorized access to the underlying database system. The disclosure of exploitation methods in public repositories and the assignment of VDB-244329 identifier indicate that this vulnerability has already been weaponized by threat actors, making immediate remediation critical for organizations relying on this student information system.

The operational impact of this vulnerability extends beyond simple data theft, as it can compromise the integrity and availability of academic records within the system. Attackers could manipulate student grades, alter enrollment status, or delete academic history, fundamentally undermining the reliability of the student information system. The critical classification reflects the potential for widespread data compromise across multiple student records and the ease with which authenticated administrative access could be gained. This vulnerability directly violates security principles outlined in the ATT&CK framework under T1078 for valid accounts and T1046 for network service scanning, as it enables unauthorized access through legitimate administrative interfaces.

Organizations must implement immediate mitigations including input validation, parameterized queries, and proper output encoding to prevent sql injection attacks. The recommended approach involves upgrading to a patched version of the Campcodes Simple Student Information System, implementing web application firewalls, and conducting comprehensive security testing of all database interfaces. Additional protective measures should include database access logging, privilege separation, and regular security audits. The vulnerability demonstrates the importance of secure coding practices and highlights the necessity of following OWASP Top Ten guidelines for preventing sql injection vulnerabilities in web applications.

Responsible

VulDB

Reservation

11/02/2023

Disclosure

11/02/2023

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00562

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!