CVE-2023-45116 is a high-severity SQL Injection vulnerability (CWE-89) affecting version 1.0 of the Online Examination System developed by Projectworlds Pvt. Limited. The vulnerability arises from improper neutralization of special characters in the 'demail' parameter of the /update.php endpoint. Specifically, this parameter does not validate or sanitize input before incorporating it into SQL commands, allowing an authenticated user to inject malicious SQL code. This flaw enables attackers with legitimate access (authenticated users) to manipulate backend database queries, potentially leading to unauthorized data access, data modification, or complete compromise of the database integrity and availability. The CVSS 3.1 base score of 8.8 reflects the critical impact on confidentiality, integrity, and availability, combined with low attack complexity and no user interaction required beyond authentication. Although no public exploits are currently known in the wild, the vulnerability poses a significant risk due to the sensitive nature of examination systems, which often store personal data, exam results, and other confidential information. Exploitation could result in data leakage, unauthorized data alteration, or denial of service, undermining the trustworthiness and operational continuity of the examination platform.

For European organizations using the affected Online Examination System v1.0, this vulnerability could have severe consequences. Educational institutions, certification bodies, and training providers rely heavily on the integrity and confidentiality of examination data. Exploitation could lead to unauthorized disclosure of personal data protected under GDPR, risking regulatory penalties and reputational damage. Integrity violations could allow manipulation of exam results, compromising the fairness and validity of assessments. Availability impacts could disrupt examination schedules, causing operational and financial harm. Since the vulnerability requires authentication, insider threats or compromised credentials could be leveraged by attackers. The risk is amplified in Europe due to strict data protection laws and the critical role of digital examination platforms in education and professional certification sectors.

To mitigate this vulnerability, organizations should immediately implement input validation and parameterized queries or prepared statements for all database interactions involving user-supplied data, especially the 'demail' parameter in /update.php. Employing an ORM (Object-Relational Mapping) framework or stored procedures can further reduce injection risks. Conduct a thorough code review and security audit of the entire application to identify and remediate similar injection points. Implement strict access controls and monitor authenticated user activities to detect anomalous behavior indicative of exploitation attempts. Regularly update and patch the Online Examination System once the vendor releases a fix. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns as a temporary protective measure. Finally, educate users on secure credential management to reduce the risk of credential compromise.