cbcvebase.
CVE-2023-4974
published 2023-09-15

CVE-2023-4974: A vulnerability was found in Academy LMS 6.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.89%
91.0th percentile
A vulnerability was found in Academy LMS 6.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the argument price_min/price_max leads to sql injection. The attack may be launched remotely. VDB-239750 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
academylms
creativeitemacademy_lms

Detection & IOCsextracted from sources · hover to see the quote

url/academy/tutor/filter?searched_word=&searched_tution_class_type%5B%5D=1&price_min=[SQLi]&price_max=[SQLi]&searched_price_type%5B%5D=hourly&searched_duration%5B%5D=0
path/academy/tutor/filter
commandprice_min=(SELECT(0)FROM(SELECT(SLEEP(7)))a)&price_max=9&searched_price_type[]=hourly&searched_duration[]=0
commandprice_min=1&price_max=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&searched_price_type[]=hourly&searched_duration[]=0
sigma
GET /tutor/filter?searched_word=&searched_tution_class_type[]=1&price_min=(SELECT(0)FROM(SELECT(SLEEP(7)))a)&price_max=9&searched_price_type[]=hourly&searched_duration[]=0 HTTP/1.1
  • Detect time-based blind SQLi attempts against Academy LMS by monitoring GET requests to /tutor/filter containing SLEEP() payloads in price_min or price_max parameters.
  • Alert on HTTP 500 responses from /tutor/filter endpoint combined with response body containing 'Courses' and request duration >= 7 seconds, indicating successful time-based SQLi exploitation.
  • Use Shodan/FOFA queries to identify exposed Academy LMS instances as potential targets: html:"Academy LMS" or body="academy lms".
  • The injection type is MySQL >= 5.0.12 time-based blind using query SLEEP; look for SELECT(SLEEP(...)) patterns URL-encoded or plaintext in GET parameters price_min and price_max.
  • ·The vulnerability is unauthenticated (PR:N), meaning no credentials are required to exploit it remotely; no session or authentication token is needed in the attack request.
  • ·The Nuclei template uses a 20-second timeout to accommodate the SLEEP(7) and SLEEP(9) payloads; detection rules should account for artificially delayed responses rather than connection errors.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.