Login Sign Up

CVE-2023-49625

9.8 CRITICAL
SQL Injection

📋 TL;DR

Billing Software v1.0 contains unauthenticated SQL injection vulnerabilities in the partylist_edit_submit.php resource, allowing attackers to execute arbitrary SQL commands without authentication. This affects all systems running the vulnerable software version.

💻 Affected Systems

Products:
  • Billing Software
Versions: v1.0
Operating Systems: All platforms running the software
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of v1.0 are vulnerable by default configuration.

📦 What is this software?

Billing Software by Kashipara

View all CVEs affecting Billing Software →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution on the database server.

🟠

Likely Case

Data exfiltration of sensitive billing information, customer data, and potential authentication bypass.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection attempts would still be logged.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation allows any internet user to attack exposed instances.
🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection in the 'id' parameter is straightforward to exploit with common SQL injection techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.kashipara.com/

Restart Required: No

Instructions:

1. Check vendor website for updated version. 2. If patch available, download and install. 3. Validate input filtering is implemented. 4. Test functionality after update.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection rules to block malicious requests

Input Validation Filter

all

Add input validation to sanitize 'id' parameter before processing

Example PHP: $id = filter_var($_GET['id'], FILTER_VALIDATE_INT); if($id === false) { die('Invalid input'); }

🧯 If You Can't Patch

  • Isolate the system behind a firewall with strict access controls
  • Implement network segmentation to limit database access from the application server

🔍 How to Verify

Check if Vulnerable:

Test the partylist_edit_submit.php endpoint with SQL injection payloads in the 'id' parameter (e.g., id=1' OR '1'='1)

Check Version:

Check software documentation or interface for version information

Verify Fix Applied:

Test with same SQL injection payloads and verify they are rejected or properly sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed parameter validation attempts
  • Requests with SQL keywords in parameters

Network Indicators:

  • HTTP requests containing SQL injection patterns to partylist_edit_submit.php
  • Unusual database query patterns from application server

SIEM Query:

source="web_logs" AND uri="*partylist_edit_submit.php*" AND (param="*id=*'*" OR param="*id=*%27*" OR param="*id=*SELECT*" OR param="*id=*UNION*")

📊 Metadata

CVE ID: CVE-2023-49625
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: January 4, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49625, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)