CVE-2023-45119 is a high-severity SQL Injection vulnerability affecting version 1.0 of the Online Examination System developed by Projectworlds Pvt. Limited. The vulnerability arises from improper neutralization of special characters in SQL commands (CWE-89). Specifically, the 'n' parameter in the /update.php?q=quiz endpoint does not properly validate or sanitize input before incorporating it into SQL queries. This flaw allows an authenticated user with at least limited privileges (PR:L) to inject malicious SQL code, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability requires network access (AV:N) but no user interaction (UI:N), and the scope is unchanged (S:U), meaning the impact is confined to the vulnerable component. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits are currently known, the vulnerability's characteristics make it a significant risk if weaponized. The lack of input validation on a critical parameter in an online examination platform could allow attackers to manipulate exam data, access sensitive user information, or disrupt examination processes, undermining trust and operational continuity.

For European organizations using the affected Online Examination System v1.0, this vulnerability poses serious risks. Educational institutions, certification bodies, and training providers relying on this system could face data breaches exposing personal information of students and staff, including exam results and credentials. Integrity of exam data could be compromised, enabling manipulation of scores or exam content, which can damage reputations and lead to legal liabilities under GDPR due to unauthorized data exposure. Availability impacts could disrupt examination schedules, causing operational delays and financial losses. Given the authenticated nature of the exploit, insider threats or compromised accounts could be leveraged to exploit this vulnerability. The high severity and potential for full database compromise make this a critical concern for European entities prioritizing data protection and service reliability.

Organizations should immediately audit their use of the Online Examination System v1.0 and restrict access to the /update.php?q=quiz endpoint to trusted users only. Implement strict input validation and sanitization on all parameters, especially the 'n' parameter, to neutralize special SQL characters. Employ parameterized queries or prepared statements to prevent injection attacks. Conduct a thorough code review and penetration testing focused on SQL injection vectors. If possible, upgrade to a patched version once available or apply custom patches to fix the input validation flaw. Monitor database logs for suspicious queries and implement anomaly detection to identify potential exploitation attempts. Additionally, enforce strong authentication and access controls to limit the risk posed by compromised credentials. Regular backups and incident response plans should be updated to handle potential data integrity or availability incidents.