CVE-2023-45115 is a high-severity SQL Injection vulnerability affecting version 1.0 of the Online Examination System developed by Projectworlds Pvt. Limited. The vulnerability arises from improper neutralization of special characters in the 'ch' parameter of the /update.php?q=addqns endpoint. This parameter is used to add questions to the system but does not validate or sanitize input before incorporating it into SQL commands. As a result, authenticated users with privileges to access this endpoint can inject malicious SQL code, potentially manipulating the backend database. The vulnerability is classified under CWE-89, indicating improper neutralization of special elements used in SQL commands. The CVSS 3.1 base score is 8.8, reflecting a high impact with network attack vector, low attack complexity, requiring privileges but no user interaction, and affecting confidentiality, integrity, and availability. Exploitation could allow attackers to read, modify, or delete sensitive examination data, alter question banks, or escalate privileges within the system. Although no known exploits are currently reported in the wild, the vulnerability's characteristics make it a significant risk, especially in environments where the Online Examination System is used to conduct high-stakes or regulated assessments. The lack of available patches increases the urgency for mitigation and risk management.

For European organizations, particularly educational institutions, certification bodies, and training providers using the Online Examination System, this vulnerability poses a serious threat. Exploitation could lead to unauthorized disclosure of examination content, manipulation of exam questions or results, and disruption of examination services. This undermines the integrity and trustworthiness of certification processes, potentially affecting compliance with educational standards and regulations such as GDPR if personal data is exposed. Furthermore, the availability impact could disrupt examination schedules, causing operational and reputational damage. The requirement for authentication limits exposure to internal or credentialed users, but insider threats or compromised accounts could still exploit this flaw. Given the increasing reliance on digital examination platforms in Europe, the vulnerability could have widespread consequences if not addressed promptly.

Organizations should immediately audit their use of the Online Examination System version 1.0 and restrict access to the /update.php?q=addqns endpoint to only highly trusted users. Implement input validation and sanitization on the 'ch' parameter to neutralize special SQL characters, ideally using parameterized queries or prepared statements to prevent injection. Since no official patch is currently available, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting this parameter. Monitor logs for suspicious activity related to the vulnerable endpoint. Additionally, enforce strong authentication and session management controls to reduce the risk of credential compromise. If feasible, migrate to a more secure or updated examination platform. Conduct regular security assessments and penetration testing focused on injection flaws to proactively identify similar vulnerabilities.