CVE-2023-45121 is a high-severity SQL Injection vulnerability (CWE-89) affecting version 1.0 of the Online Examination System developed by Projectworlds Pvt. Limited. The vulnerability arises from improper neutralization of special characters in the 'desc' parameter of the /update.php?q=addquiz endpoint. Specifically, this parameter does not validate or sanitize user input before incorporating it into SQL commands, allowing an authenticated attacker to inject malicious SQL code. Because the vulnerability requires authentication but no user interaction beyond that, an attacker with valid credentials can exploit it remotely over the network (AV:N) with low attack complexity (AC:L). The impact is severe, as the CVSS 3.1 score of 8.8 reflects high confidentiality, integrity, and availability impacts (C:H/I:H/A:H). Exploitation could lead to unauthorized data disclosure, data modification, or deletion, and potentially full compromise of the underlying database and application. Although no public exploits are currently known in the wild, the vulnerability's nature and ease of exploitation make it a critical risk for affected deployments. The lack of available patches increases the urgency for mitigation. The Online Examination System is typically used by educational institutions and certification bodies to manage and deliver exams online, making the integrity and confidentiality of exam data paramount.

For European organizations, especially educational institutions, certification authorities, and training providers using the vulnerable Online Examination System v1.0, this vulnerability poses significant risks. Exploitation could lead to unauthorized access to sensitive exam content, student data, and results, undermining the integrity of assessments and potentially enabling cheating or fraud. Confidentiality breaches could expose personal data protected under GDPR, leading to regulatory penalties and reputational damage. Integrity violations could invalidate exam results, disrupting academic and professional certification processes. Availability impacts could cause denial of service, interrupting examination schedules and causing operational disruptions. Given the critical nature of education and certification in Europe, such disruptions could have wide-ranging consequences for students, institutions, and employers. The requirement for authentication means insider threats or compromised credentials could be leveraged by attackers, increasing the risk in environments with weak credential management or insufficient access controls.

Immediate mitigation should focus on restricting access to the vulnerable endpoint to only trusted administrators and users with a strict need to add quizzes. Implement strong input validation and sanitization on the 'desc' parameter to neutralize special SQL characters before database queries. Employ parameterized queries or prepared statements to prevent SQL injection attacks. Conduct a thorough code review of all input handling in the Online Examination System to identify and remediate similar vulnerabilities. Enhance authentication mechanisms by enforcing multi-factor authentication (MFA) to reduce the risk of credential compromise. Monitor logs for suspicious activity related to the /update.php?q=addquiz endpoint, such as unusual input patterns or repeated failed attempts. If possible, isolate the database with strict access controls and network segmentation to limit the blast radius of a potential compromise. Since no official patches are available, consider deploying a Web Application Firewall (WAF) with custom rules to detect and block SQL injection attempts targeting this parameter. Finally, plan for an upgrade or replacement of the vulnerable system with a secure, actively maintained alternative.