Login Sign Up

CVE-2023-48901

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in tramyardg Autoexpress 1.3.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the 'id' parameter in details.php. Attackers can potentially read, modify, or delete database content, leading to data breaches or system compromise. All systems running the vulnerable version are affected.

💻 Affected Systems

Products:
  • tramyardg Autoexpress
Versions: 1.3.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation and requires no special configuration to be exploitable.

📦 What is this software?

Autoexpress by Tramyardg

View all CVEs affecting Autoexpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, data destruction, authentication bypass, and potential remote code execution if database functions permit.

🟠

Likely Case

Data exfiltration from the database, including sensitive information like user credentials, personal data, or business records.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details are available, making this easily exploitable by attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to ensure the 'id' parameter contains only numeric values.

Modify details.php to include: if (!is_numeric($_GET['id'])) { die('Invalid input'); }

Use Parameterized Queries

all

Replace direct SQL concatenation with prepared statements using PDO or mysqli.

Replace vulnerable query with: $stmt = $pdo->prepare('SELECT * FROM photos WHERE car_id = ?'); $stmt->execute([$_GET['id']]);

🧯 If You Can't Patch

  • Implement a Web Application Firewall (WAF) with SQL injection rules
  • Restrict network access to the application to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Test the 'id' parameter in details.php with SQL injection payloads like: details.php?id=1' OR '1'='1

Check Version:

Check the application version in the source code or configuration files.

Verify Fix Applied:

Test with the same payloads after implementing fixes; should return error or no data instead of executing SQL.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple requests with SQL-like patterns in the 'id' parameter

Network Indicators:

  • HTTP requests to details.php with suspicious 'id' parameter values containing SQL keywords

SIEM Query:

source="web_logs" AND uri="*details.php*" AND (param="*id=*'*" OR param="*id=*%27*" OR param="*id=* OR *" OR param="*id=* UNION *")

📊 Metadata

CVE ID: CVE-2023-48901
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 21, 2024
Last Updated: May 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48901, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)