Login Sign Up

CVE-2023-40629

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2023-40629 is a critical SQL injection vulnerability in the LMS Lite component for Joomla that allows attackers to execute arbitrary SQL commands. This affects all Joomla websites using the vulnerable LMS Lite extension. Attackers can potentially access, modify, or delete database content through this vulnerability.

💻 Affected Systems

Products:
  • LMS Lite for Joomla
Versions: All versions before the patched release
Operating Systems: All platforms running Joomla
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Joomla installations with LMS Lite component installed and enabled.

📦 What is this software?

Lms King Lite by King Products

View all CVEs affecting Lms King Lite →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized data access, user information theft, and potential privilege escalation within the Joomla application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection remains dangerous.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are commonly exploited and weaponized quickly due to their high impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Joomla extensions directory for latest LMS Lite version

Vendor Advisory: https://extensions.joomla.org/extension/lms-lite/

Restart Required: No

Instructions:

1. Log into Joomla admin panel. 2. Navigate to Extensions > Manage > Update. 3. Update LMS Lite to latest version. 4. Alternatively, download latest version from Joomla extensions directory and install manually.

🔧 Temporary Workarounds

Disable LMS Lite Component

all

Temporarily disable the vulnerable component until patched

Navigate to Joomla admin > Extensions > Manage > Manage > Disable LMS Lite

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns

Configure WAF to block SQL injection patterns: UNION, SELECT, INSERT, UPDATE, DELETE, DROP, --, #, /*, */

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries at application level
  • Restrict database user permissions to minimum required for application functionality

🔍 How to Verify

Check if Vulnerable:

Check Joomla admin panel > Extensions > Manage > Manage for LMS Lite version. Compare with latest version on Joomla extensions site.

Check Version:

Check Joomla admin panel or database #__extensions table for LMS Lite version

Verify Fix Applied:

Verify LMS Lite is updated to latest version and test SQL injection attempts are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts or SQL errors in Joomla logs
  • Unexpected database schema changes

Network Indicators:

  • SQL injection patterns in HTTP requests (UNION, SELECT, etc.)
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND ("UNION SELECT" OR "' OR '1'='1" OR "--" OR "#" OR "/**/") AND uri="*lms-lite*"

📊 Metadata

CVE ID: CVE-2023-40629
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 14, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40629, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)