CVE-2023-45117 is a high-severity SQL Injection vulnerability identified in version 1.0 of the Online Examination System developed by Projectworlds Pvt. Limited. The vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89). Specifically, the 'eid' parameter in the /update.php?q=rmquiz endpoint does not properly validate or sanitize user input before incorporating it into SQL queries. This allows an authenticated attacker with at least limited privileges (PR:L) to inject malicious SQL code remotely (AV:N) without requiring user interaction (UI:N). The vulnerability affects confidentiality, integrity, and availability of the backend database, as indicated by the CVSS vector (C:H/I:H/A:H). Exploitation could lead to unauthorized data disclosure, modification, or deletion, potentially compromising exam data, user credentials, or other sensitive information stored in the system. Although no known exploits are currently reported in the wild, the ease of exploitation combined with the critical impact makes this a significant threat. The vulnerability is present in a widely used online examination platform, which is often deployed in educational institutions and certification bodies, making it a valuable target for attackers seeking to manipulate exam results or steal sensitive data.

For European organizations, especially educational institutions, certification authorities, and training providers using the affected Online Examination System v1.0, this vulnerability poses a serious risk. Exploitation could lead to unauthorized access to exam content, manipulation of exam results, and leakage of personal data of students and staff, violating GDPR and other data protection regulations. The integrity of examination processes could be compromised, undermining trust in certification and educational outcomes. Additionally, attackers could leverage the vulnerability to pivot into internal networks, potentially escalating privileges or disrupting services. The high impact on confidentiality, integrity, and availability means that affected organizations could face operational disruptions, reputational damage, and regulatory penalties.

Organizations should immediately assess whether they are using Online Examination System v1.0 from Projectworlds Pvt. Limited. Since no official patch is currently available, mitigation should focus on the following: 1) Implement strict input validation and sanitization on the 'eid' parameter and all user inputs to prevent injection of malicious SQL commands. 2) Employ parameterized queries or prepared statements in the application code to separate SQL logic from data inputs. 3) Restrict database user privileges to the minimum necessary to limit the impact of any injection. 4) Monitor and log database queries and application logs for suspicious activity indicative of SQL injection attempts. 5) If possible, isolate the examination system in a segmented network zone to limit lateral movement. 6) Plan for an upgrade or patch deployment once the vendor releases a fix. 7) Conduct regular security assessments and code reviews focusing on injection vulnerabilities. 8) Educate administrators and developers about secure coding practices and the risks of SQL injection.