CVE-2023-33338
published 2023-05-23CVE-2023-33338: Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.66%
88.2th percentile
Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| phpgurukul | old_age_home_management_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SQL injection auth-bypass attempt: POST to /admin/login.php with a username parameter containing a URL-encoded single-quote and OR 1=1 comment payload (vaday' or 1=1#) ↗
- →Successful exploitation results in HTTP 200 on /admin/dashboard.php with body containing 'Change Password' and 'Old Age Home Management System|| Dashboard' — monitor for unauthenticated access to the dashboard endpoint following a login POST ↗
- →Content-Type is application/x-www-form-urlencoded; inspect POST body to /admin/login.php for SQL metacharacters (single-quote, OR, comment sequences) in the username field ↗
- ·The Nuclei template requires two sequential requests: first a POST to /admin/login.php with the SQLi payload, then a GET to /admin/dashboard.php to confirm auth-bypass success. Both conditions must be met (HTTP 200 + specific body strings) for a true positive. ↗
- ·Vulnerability is unauthenticated (PR:N, UI:N) and network-reachable (AV:N), meaning no prior credentials or user interaction are required for exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Old Age Home Management System v1.0 - SQL Injection
nuclei·CVSS 9.8
CVE-2023-33338 [CRITICAL] Old Age Home Management System v1.0 - SQL Injection
Old Age Home Management System v1.0 - SQL Injection
Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.
Template:
id: CVE-2023-33338
info:
name: Old Age Home Management System v1.0 - SQL Injection
author: Harsh
severity: critical
description: |
Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary SQL queries, potentially leading to unauthorized access, data leakage, or data manipulation.
remediation: |
Apply the latest patches or updates provided by the vendor to fix the SQL Injection vulnerability in the Old Age Home Management System v1.0.
reference:
- https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendor
No writeups or analysis indexed.
2023-05-23
Published