Cyber Resilience

CVE-2023-33338

CriticalPublic PoC

Published: 23 May 2023

Published
23 May 2023
Modified
31 January 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7329 98.8th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33338 is a critical-severity SQL Injection (CWE-89) vulnerability in Phpgurukul Old Age Home Management System. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Old Age Home Management 1.0 contains a SQL injection vulnerability, tracked as CVE-2023-33338 and assigned CWE-89, that affects the username parameter. The flaw received a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required authentication or user interaction and full impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply crafted input through the username field to manipulate backend SQL queries, enabling arbitrary data access, modification, or deletion within the application database and potentially leading to complete system compromise.

Public references consist of GitHub repositories that document the issue for the ANUJ-KUMAR Old-Age-Home-Management-2022-2023-1.0 codebase; no official vendor advisories or patch information are included in the provided references. The associated EPSS score stands at 0.7329 after reaching a recorded peak of 0.7530.

EU & UK References

Vulnerability details

Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

phpgurukul
old age home management system
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References