CVE-2023-45118 is a high-severity SQL Injection vulnerability affecting version 1.0 of the Online Examination System developed by Projectworlds Pvt. Limited. The vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89). Specifically, the 'fdid' parameter in the /update.php endpoint does not properly validate or sanitize input before incorporating it into SQL queries. This flaw allows an authenticated attacker with at least limited privileges (PR:L) to inject malicious SQL code, potentially leading to unauthorized data access, data modification, or complete compromise of the underlying database. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its high impact on confidentiality, integrity, and availability, with network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and unchanged scope (S:U). Although no public exploits have been reported yet, the vulnerability's characteristics make it a significant risk, especially in environments where the Online Examination System is used to manage sensitive educational or examination data. The lack of input validation on the 'fdid' parameter means attackers can craft SQL payloads to extract sensitive information, alter exam results, or disrupt system operations, potentially undermining the integrity of examination processes.

For European organizations, particularly educational institutions and certification bodies using the affected Online Examination System, this vulnerability poses a serious threat. Exploitation could lead to unauthorized disclosure of personal data of students and staff, manipulation of exam results, and disruption of examination services. Such impacts could violate GDPR requirements concerning data protection and integrity, leading to regulatory penalties and reputational damage. The compromise of examination data can undermine trust in academic credentials and certification processes, affecting both individuals and institutions. Additionally, the availability impact could disrupt critical examination schedules, causing operational and financial consequences. Given the authenticated nature of the vulnerability, insider threats or compromised user accounts could be leveraged to exploit this flaw, increasing the risk profile for organizations with less stringent access controls.

To mitigate this vulnerability, organizations should immediately implement strict input validation and sanitization on the 'fdid' parameter and any other user-supplied inputs before they are used in SQL queries. Employing parameterized queries or prepared statements is essential to prevent SQL injection attacks. Since no official patches are currently available, organizations should consider applying virtual patching via Web Application Firewalls (WAFs) configured to detect and block SQL injection patterns targeting the vulnerable parameter. Additionally, review and tighten user access controls to limit the number of users with privileges to access the /update.php resource. Monitoring database and application logs for unusual query patterns or failed injection attempts can provide early detection of exploitation attempts. Organizations should also plan for timely updates once vendor patches become available and conduct security assessments to identify similar vulnerabilities in other parts of the application.