Login Sign Up

CVE-2023-33584

9.8 CRITICAL
SQL Injection Authentication Bypass

📋 TL;DR

CVE-2023-33584 is a critical SQL injection vulnerability in Sourcecodester Enrollment System Project V1.0 that allows attackers to bypass authentication and execute arbitrary SQL commands. This affects all deployments using the vulnerable version, potentially exposing sensitive enrollment data and system access.

💻 Affected Systems

Products:
  • Sourcecodester Enrollment System Project
Versions: V1.0
Operating Systems: Any OS running PHP/MySQL
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of version 1.0 are vulnerable regardless of configuration.

📦 What is this software?

Enrollment System by Enrollment System Project

View all CVEs affecting Enrollment System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise including data exfiltration, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Authentication bypass leading to unauthorized access to enrollment data, student records, and administrative functions.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to data viewing only.

🌐 Internet-Facing: HIGH - Web application directly exposed to internet with unauthenticated exploit available.
🏢 Internal Only: MEDIUM - Still vulnerable but attack surface reduced to internal network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit scripts available requiring minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch exists. Replace with secure alternative or implement custom fixes.

🔧 Temporary Workarounds

Input Validation Implementation

all

Add parameterized queries and input sanitization to login.php

Modify login.php to use prepared statements: $stmt = $conn->prepare('SELECT * FROM users WHERE username = ? AND password = ?'); $stmt->bind_param('ss', $username, $password);

Web Application Firewall Rules

all

Block SQL injection patterns at WAF level

Add WAF rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"

🧯 If You Can't Patch

  • Isolate system behind VPN with strict access controls
  • Implement network segmentation and monitor for SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Test login page with SQL injection payload: ' OR '1'='1 in username field

Check Version:

Check source code files for version markers or review project documentation

Verify Fix Applied:

Attempt SQL injection payloads and verify they are rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL syntax in access logs
  • Multiple failed login attempts with SQL characters
  • Successful logins from unexpected IPs

Network Indicators:

  • HTTP requests containing SQL keywords (UNION, SELECT, INSERT)
  • Abnormal database query patterns

SIEM Query:

source="web_logs" AND ("' OR" OR "UNION SELECT" OR "--" OR ";--")

📊 Metadata

CVE ID: CVE-2023-33584
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 21, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33584, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)