Login Sign Up

CVE-2017-15972

9.8 CRITICAL
SQL Injection Authentication Bypass

📋 TL;DR

SoftDatepro Dating Social Network 1.3 contains multiple SQL injection vulnerabilities that allow attackers to execute arbitrary SQL commands through various parameters. This affects all users running version 1.3 of the software, potentially compromising database integrity and confidentiality.

💻 Affected Systems

Products:
  • SoftDatepro Dating Social Network
Versions: 1.3
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable in default installation. Affects both user-facing pages (viewprofile.php, viewmessage.php) and admin interface.

📦 What is this software?

Dating Software by Softdatepro

View all CVEs affecting Dating Software →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, remote code execution via database functions, and full system takeover.

🟠

Likely Case

Unauthorized data access, user information theft, privilege escalation, and potential site defacement.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or minor data exposure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploits available. Exploitation requires minimal technical skill due to simple parameter manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Implement proper input validation and use parameterized queries/prepared statements for all database interactions.

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious requests.

🧯 If You Can't Patch

  • Implement strict input validation on profid, sender_id, and admin email parameters
  • Restrict database user permissions to minimum required, use read-only accounts where possible

🔍 How to Verify

Check if Vulnerable:

Test parameters with SQL injection payloads: viewprofile.php?profid=1' OR '1'='1, viewmessage.php?sender_id=1' OR '1'='1, admin email field with SQL payload

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return appropriate error messages or are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed login attempts from single IP
  • Requests with SQL keywords in parameters

Network Indicators:

  • HTTP requests containing SQL injection patterns in parameters
  • Unusual database query patterns from application server

SIEM Query:

source="web_logs" AND (uri="*viewprofile.php*" OR uri="*viewmessage.php*") AND (param="*' OR*" OR param="*UNION*" OR param="*SELECT*" OR param="*INSERT*")

📊 Metadata

CVE ID: CVE-2017-15972
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: October 29, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-15972, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)