CVE-2023-46679 – Online Job Portal v1.0 has unauthenticated SQL ... (How to Fix)

Q: What is the severity of CVE-2023-46679?

CVE-2023-46679 has a CVSS score of 9.8 (CRITICAL). Online Job Portal v1.0 has unauthenticated SQL injection vulnerabilities in the 'txt_uname_email' parameter of index.php, allowing attackers to execute arbitrary SQL commands without authentication. This affects all deployments of this specific software version.

📋 TL;DR

Online Job Portal v1.0 has unauthenticated SQL injection vulnerabilities in the 'txt_uname_email' parameter of index.php, allowing attackers to execute arbitrary SQL commands without authentication. This affects all deployments of this specific software version.

💻 Affected Systems

Products:

Online Job Portal

Versions: v1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments of Online Job Portal v1.0 regardless of configuration.

📦 What is this software?

Online Job Portal by Projectworlds

View all CVEs affecting Online Job Portal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Database information disclosure, credential theft, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection attempts would still be logged.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection in authentication parameter makes exploitation straightforward without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider replacing with alternative software or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side input validation to filter SQL injection patterns in the txt_uname_email parameter

Modify index.php to add parameter sanitization before database queries

Web Application Firewall

all

Deploy WAF with SQL injection rules to block malicious requests

Configure WAF to block SQL injection patterns in POST parameters

🧯 If You Can't Patch

Isolate the application behind a reverse proxy with strict input validation
Implement database user with minimal permissions (read-only if possible)

🔍 How to Verify

Check if Vulnerable:

Test the txt_uname_email parameter with SQL injection payloads like ' OR '1'='1

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Test with SQL injection payloads and verify they are rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in application logs
Unusual database query patterns
Multiple failed login attempts with SQL characters

Network Indicators:

HTTP POST requests containing SQL keywords to index.php
Unusual database port traffic from web server

SIEM Query:

web.url:*index.php* AND web.post_param.txt_uname_email:*OR* OR web.post_param.txt_uname_email:*UNION* OR web.post_param.txt_uname_email:*SELECT*

📊 Metadata

CVE ID: CVE-2023-46679

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 7, 2023

Last Updated: November 21, 2024

🔗 References

https://fluidattacks.com/advisories/netrebko Exploit,Third Party Advisory
https://projectworlds.in Product
https://fluidattacks.com/advisories/netrebko Exploit,Third Party Advisory
https://projectworlds.in Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46679, you might also want to check these: