CVE-2023-43013 – Asset Management System v1.0 contains an unauth... (How to Fix)

📋 TL;DR

Asset Management System v1.0 contains an unauthenticated SQL injection vulnerability in the email parameter of index.php. This allows attackers to extract all database contents and bypass authentication controls. Any organization using this vulnerable version is affected.

💻 Affected Systems

Products:

Asset Management System

Versions: v1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation with no special configuration required.

📦 What is this software?

Asset Management System by Projectworlds

View all CVEs affecting Asset Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive user data, credentials, and system information leading to full system takeover.

🟠

Likely Case

Database exfiltration of user credentials and sensitive asset information, followed by unauthorized access to the system.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and web application firewall rules in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via email parameter requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://projectworlds.in/

Restart Required: No

Instructions:

1. Check vendor website for updated version
2. Replace vulnerable index.php file
3. Implement parameterized queries for email parameter
4. Add input validation for email field

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block SQL injection patterns in email parameter

WAF specific - configure to block SQL keywords in email parameter

Input Validation Filter

all

Add server-side validation for email format

Add regex validation: /^[^\s@]+@[^\s@]+\.[^\s@]+$/

🧯 If You Can't Patch

Isolate the system behind a firewall with strict access controls
Implement network segmentation to limit database access

🔍 How to Verify

Check if Vulnerable:

Test email parameter with SQL injection payload: ' OR '1'='1

Check Version:

Check system documentation or admin panel for version information

Verify Fix Applied:

Attempt SQL injection after implementing parameterized queries and validation

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed login attempts from single IP
Database error messages containing SQL syntax

Network Indicators:

Unusual database connection patterns
Large data transfers from application server

SIEM Query:

source="web_logs" AND (email="*OR*" OR email="*UNION*" OR email="*SELECT*" OR email="*--*")

📊 Metadata

CVE ID: CVE-2023-43013

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: September 28, 2023

Last Updated: November 21, 2024

🔗 References

https://fluidattacks.com/advisories/nergal Exploit,Third Party Advisory
https://projectworlds.in/ Product
https://fluidattacks.com/advisories/nergal Exploit,Third Party Advisory
https://projectworlds.in/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-43013, you might also want to check these: