Login Sign Up

CVE-2023-49968

7.3 HIGH
SQL Injection

📋 TL;DR

Customer Support System v1 contains a SQL injection vulnerability in the id parameter at /customer_support/manage_department.php. This allows attackers to execute arbitrary SQL commands on the database. Organizations using this specific software version are affected.

💻 Affected Systems

Products:
  • Customer Support System
Versions: v1.0
Operating Systems: Any OS running PHP/MySQL
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the specific source code from SourceCodester; custom implementations may vary.

📦 What is this software?

Customer Support System by Oretnom23

View all CVEs affecting Customer Support System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized data access, modification, or deletion of customer support records and potentially user credentials.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-sensitive data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authentication to access /customer_support/manage_department.php endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch exists. Replace vulnerable code with parameterized queries or input validation.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation to ensure id parameter contains only numeric values.

Modify manage_department.php to validate id parameter using is_numeric() or similar functions before SQL execution.

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block SQL injection patterns targeting the id parameter.

Configure WAF to detect and block SQL injection attempts on /customer_support/manage_department.php?id=*

🧯 If You Can't Patch

  • Restrict access to /customer_support/ directory to authorized users only using authentication and IP whitelisting.
  • Implement database user with minimal privileges (SELECT only) for the application to limit potential damage.

🔍 How to Verify

Check if Vulnerable:

Test the endpoint with SQL injection payloads like /customer_support/manage_department.php?id=1' OR '1'='1 and observe database errors or unexpected behavior.

Check Version:

Check source code or documentation for version information; no standard command available.

Verify Fix Applied:

After implementing fixes, retest with SQL injection payloads to confirm they are blocked or sanitized without errors.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed login attempts followed by SQL injection patterns

Network Indicators:

  • HTTP requests to /customer_support/manage_department.php with SQL keywords in parameters

SIEM Query:

source="web_logs" AND uri="/customer_support/manage_department.php" AND (param="id" AND value MATCH "[';]|OR|UNION|SELECT")

📊 Metadata

CVE ID: CVE-2023-49968
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-89
Published: March 5, 2024
Last Updated: March 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49968, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)