Cyber Resilience

CVE-2023-33584

CriticalPublic PoC

Published: 21 June 2023

Published
21 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3065 96.8th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33584 is a critical-severity SQL Injection (CWE-89) vulnerability in Enrollment System Project Enrollment System. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 3.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Sourcecodester Enrollment System Project V1.0 contains a SQL injection vulnerability tracked as CVE-2023-33584. The flaw stems from insufficient validation of user input in the username and password fields of the login process, allowing crafted SQL statements to be executed against the backend database. The issue is classified under CWE-89 and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation without authentication or user interaction.

An unauthenticated attacker can supply malicious input during login to bypass authentication, extract or modify database contents, and potentially obtain administrative control of the enrollment system. Public exploit code demonstrating authentication bypass via SQL injection has been published on multiple platforms shortly after disclosure.

The EPSS score rose from a low baseline to a peak of 0.3456 before settling at the current value of 0.3065, indicating a clear increase in observed exploitation interest following public release of the vulnerability details. No official vendor patches or mitigation guidance appear among the available references, which consist primarily of proof-of-concept exploits.

EU & UK References

Vulnerability details

Sourcecodester Enrollment System Project V1.0 is vulnerable to SQL Injection (SQLI) attacks, which allow an attacker to manipulate the SQL queries executed by the application. The application fails to properly validate user-supplied input in the username and password fields during…

more

the login process, enabling an attacker to inject malicious SQL code.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

enrollment system project
enrollment system
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References