CVE-2023-33584
Published: 21 June 2023
Summary
CVE-2023-33584 is a critical-severity SQL Injection (CWE-89) vulnerability in Enrollment System Project Enrollment System. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Sourcecodester Enrollment System Project V1.0 contains a SQL injection vulnerability tracked as CVE-2023-33584. The flaw stems from insufficient validation of user input in the username and password fields of the login process, allowing crafted SQL statements to be executed against the backend database. The issue is classified under CWE-89 and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation without authentication or user interaction.
An unauthenticated attacker can supply malicious input during login to bypass authentication, extract or modify database contents, and potentially obtain administrative control of the enrollment system. Public exploit code demonstrating authentication bypass via SQL injection has been published on multiple platforms shortly after disclosure.
The EPSS score rose from a low baseline to a peak of 0.3456 before settling at the current value of 0.3065, indicating a clear increase in observed exploitation interest following public release of the vulnerability details. No official vendor patches or mitigation guidance appear among the available references, which consist primarily of proof-of-concept exploits.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37740
Vulnerability details
Sourcecodester Enrollment System Project V1.0 is vulnerable to SQL Injection (SQLI) attacks, which allow an attacker to manipulate the SQL queries executed by the application. The application fails to properly validate user-supplied input in the username and password fields during…
more
the login process, enabling an attacker to inject malicious SQL code.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.