Login Sign Up

CVE-2023-6410

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Voovi Social Networking Script version 1.0 allows remote attackers to execute arbitrary SQL queries via the editprofile.php endpoint. Attackers can potentially retrieve all application data, including user credentials and sensitive information. All systems running the vulnerable version are affected.

💻 Affected Systems

Products:
  • Voovi Social Networking Script
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation of version 1.0 via editprofile.php parameters.

📦 What is this software?

Voovi by Aatifaneeq

View all CVEs affecting Voovi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, credential theft, and potential system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized access to sensitive user data, including personal information, messages, and potentially administrative credentials.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection attempts would still be logged.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection vulnerabilities are typically easy to exploit with readily available tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-voovi-social-networking-script

Restart Required: No

Instructions:

1. Check vendor website for updated version. 2. If no patch exists, implement parameterized queries or input validation. 3. Replace vulnerable editprofile.php with secure version.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize parameters before SQL processing

# Add parameter validation in editprofile.php
# Example: $param = mysqli_real_escape_string($connection, $_POST['param']);

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

# Configure WAF to block SQL injection patterns
# Example ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1000,phase:2,deny"

🧯 If You Can't Patch

  • Implement network segmentation to isolate the vulnerable system
  • Deploy database monitoring to detect unusual query patterns

🔍 How to Verify

Check if Vulnerable:

Check if running Voovi Social Networking Script version 1.0 and review editprofile.php for lack of parameterized queries

Check Version:

# Check script version in configuration files or admin panel

Verify Fix Applied:

Test editprofile.php endpoint with SQL injection payloads to confirm they are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts via editprofile.php
  • Long parameter values containing SQL keywords

Network Indicators:

  • HTTP POST requests to editprofile.php with SQL syntax in parameters
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="*editprofile.php*" AND (param="*SELECT*" OR param="*UNION*" OR param="*OR 1=1*")

📊 Metadata

CVE ID: CVE-2023-6410
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: November 30, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6410, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)