Login Sign Up

CVE-2023-26780

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2023-26780 is a SQL injection vulnerability in CleverStupidDog yf-exam version 1.8.0 that allows attackers to execute arbitrary SQL commands. This affects all users running the vulnerable version of this software. Successful exploitation could lead to data theft, data manipulation, or complete system compromise.

💻 Affected Systems

Products:
  • CleverStupidDog yf-exam
Versions: 1.8.0
Operating Systems: Any OS running the vulnerable software
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of version 1.8.0 are vulnerable regardless of configuration.

📦 What is this software?

Yf Exam by Yf Exam Project

View all CVEs affecting Yf Exam →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data destruction, privilege escalation to database administrator, and potential remote code execution on the underlying server.

🟠

Likely Case

Unauthorized access to sensitive data stored in the database, including user credentials, personal information, and application data.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permissions restricting user privileges.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are well-understood and frequently exploited. Public GitHub references demonstrate the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

1. Check for updated versions from the vendor. 2. If no patch available, implement workarounds. 3. Consider replacing with alternative software.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side input validation to sanitize all user inputs before processing SQL queries.

Use Parameterized Queries

all

Replace dynamic SQL queries with parameterized queries or prepared statements.

🧯 If You Can't Patch

  • Implement a web application firewall (WAF) with SQL injection rules
  • Restrict database user permissions to minimum required access
  • Isolate the vulnerable system from sensitive networks

🔍 How to Verify

Check if Vulnerable:

Check if running yf-exam version 1.8.0. Review application code for unsanitized user input in SQL queries.

Check Version:

Check application configuration files or package manager for version information

Verify Fix Applied:

Test SQL injection payloads against the application to confirm they are properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL query patterns
  • Multiple failed login attempts with SQL syntax
  • Database error messages containing user input

Network Indicators:

  • HTTP requests containing SQL keywords (SELECT, UNION, DROP, etc.)
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND ("SELECT" OR "UNION" OR "DROP" OR "INSERT" OR "UPDATE") AND status="200"

📊 Metadata

CVE ID: CVE-2023-26780
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 2, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26780, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)