CVE-2023-27113
Published: 21 January 2025
Summary
CVE-2023-27113 is a critical-severity SQL Injection (CWE-89) vulnerability in A54552239 Pearprojectapi. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2023-27113 is a SQL injection vulnerability (CWE-89) affecting pearProjectApi version 2.8.10. The issue arises via the organizationCode parameter in the project.php component, enabling malicious SQL payloads to be injected and executed. Published on 2025-01-21, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for widespread impact.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation allows arbitrary SQL query execution, granting high-impact access to confidential data, modification of database contents, and disruption of service availability.
Mitigation details are available in the GitHub issue at https://github.com/a54552239/pearProjectApi/issues/31, which serves as the primary advisory reference for this CVE.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30897
Vulnerability details
pearProjectApi v2.8.10 was discovered to contain a SQL injection vulnerability via the organizationCode parameter at project.php.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated SQL injection in a public-facing web API component enables initial access via exploitation of the exposed application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation of untrusted inputs like the organizationCode parameter before database queries.
Mandates timely remediation of identified flaws, such as patching the SQL injection vulnerability in pearProjectApi v2.8.10.
Vulnerability scanning detects SQL injection issues like CVE-2023-27113 in applications for proactive remediation.