CVE-2023-41520 – Student Attendance Management System v1 contain... (How to Fix)

Q: What is the severity of CVE-2023-41520?

CVE-2023-41520 has a CVSS score of 8.8 (HIGH). Student Attendance Management System v1 contains SQL injection vulnerabilities in the createClassArms.php file through the classId and classArmName parameters. This allows attackers to execute arbitrary SQL commands on the database, potentially compromising the entire system. Anyone using this specific version of the software is affected.

📋 TL;DR

Student Attendance Management System v1 contains SQL injection vulnerabilities in the createClassArms.php file through the classId and classArmName parameters. This allows attackers to execute arbitrary SQL commands on the database, potentially compromising the entire system. Anyone using this specific version of the software is affected.

💻 Affected Systems

Products:

Student Attendance Management System

Versions: v1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the createClassArms.php endpoint specifically.

📦 What is this software?

Student Attendance Management System by Student Attendance Management System Project

View all CVEs affecting Student Attendance Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, authentication bypass, or remote code execution on the underlying server.

🟠

Likely Case

Unauthorized data access, modification of attendance records, or extraction of sensitive information like student/personal data.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the createClassArms.php endpoint, which may need authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch exists. Replace vulnerable code with parameterized queries or prepared statements in createClassArms.php.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for classId and classArmName parameters.

Web Application Firewall (WAF)

all

Deploy a WAF to block SQL injection attempts targeting the vulnerable endpoint.

🧯 If You Can't Patch

Restrict network access to the system to trusted users only.
Monitor logs for suspicious SQL queries or unauthorized access attempts.

🔍 How to Verify

Check if Vulnerable:

Test the createClassArms.php endpoint with SQL injection payloads in classId or classArmName parameters.

Check Version:

Check the software version in the system's admin panel or configuration files.

Verify Fix Applied:

Verify that parameterized queries are implemented and SQL injection attempts no longer succeed.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed login attempts or parameter tampering

Network Indicators:

HTTP requests to createClassArms.php with SQL keywords in parameters

SIEM Query:

source="web_logs" AND uri="*createClassArms.php*" AND (param="*classId*" OR param="*classArmName*") AND (query="*SELECT*" OR query="*UNION*" OR query="*OR 1=1*")

📊 Metadata

CVE ID: CVE-2023-41520

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.03% exploit probability (6.9th percentile)

Published: August 7, 2025

Last Updated: August 13, 2025

🔗 References

https://gist.github.com/celbahraoui/39c19c0b7f9f92a1a7e06d1c928bb1c3 Third Party Advisory
https://github.com/rickxy/Student-Attendance-Management-System Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41520, you might also want to check these: