CVE-2023-27112 – This SQL injection vulnerability in pearProject... (How to Fix)

Q: What is the severity of CVE-2023-27112?

CVE-2023-27112 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in pearProjectApi allows attackers to execute arbitrary SQL commands through the projectCode parameter. Any system running the vulnerable version is affected, potentially exposing database contents and enabling further system compromise.

📋 TL;DR

This SQL injection vulnerability in pearProjectApi allows attackers to execute arbitrary SQL commands through the projectCode parameter. Any system running the vulnerable version is affected, potentially exposing database contents and enabling further system compromise.

💻 Affected Systems

Products:

pearProjectApi

Versions: v2.8.10 and potentially earlier versions

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default installation when project.php is accessible.

📦 What is this software?

Pearprojectapi by A54552239

View all CVEs affecting Pearprojectapi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, data modification, and potential authentication bypass leading to unauthorized project access.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple SQL injection via URL parameter with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.8.11 or later

Vendor Advisory: https://github.com/a54552239/pearProjectApi/issues/32

Restart Required: No

Instructions:

1. Backup current installation. 2. Download latest version from GitHub. 3. Replace vulnerable files. 4. Verify functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize projectCode parameter

Modify project.php to validate projectCode parameter using regex or whitelist

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

🧯 If You Can't Patch

Restrict access to project.php endpoint using network ACLs or authentication
Implement database user with minimal privileges for the application

🔍 How to Verify

Check if Vulnerable:

Test project.php endpoint with SQL injection payloads in projectCode parameter

Check Version:

Check pearProjectApi version in configuration files or via API endpoint

Verify Fix Applied:

Verify parameterized queries are used and test with SQL injection payloads

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts after SQL injection attempts

Network Indicators:

HTTP requests with SQL keywords in projectCode parameter
Unusual database connection patterns

SIEM Query:

source="web_logs" AND (uri="*project.php*" AND query="*projectCode=*SELECT*" OR query="*projectCode=*UNION*")

📊 Metadata

CVE ID: CVE-2023-27112

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.14% exploit probability (34th percentile)

Published: January 21, 2025

Last Updated: May 30, 2025

🔗 References

https://github.com/a54552239/pearProjectApi/issues/32 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27112, you might also want to check these: