CVE-2023-53982 is a critical SQL injection vulnerability affecting Sigb PMB version 7.4.6. The vulnerability resides in the ajax.php endpoint, specifically within the storage parameter, where the 'id' parameter is not properly sanitized before being used in SQL queries. This improper neutralization of special elements allows remote attackers to inject arbitrary SQL commands without authentication or user interaction. Attackers can exploit this flaw by injecting conditional sleep statements, facilitating time-based blind SQL injection attacks that enable them to infer sensitive information from the backend database. The vulnerability impacts confidentiality and integrity by allowing unauthorized data extraction and potential modification. The CVSS 4.0 score of 9.3 reflects its critical nature, with network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality and integrity. Although no public exploits are currently known, the vulnerability's characteristics make it highly exploitable. The affected product, Sigb PMB, is a library management system widely used in European academic and public libraries, increasing the risk to organizations relying on this software for managing bibliographic data and user information.

The primary impact of CVE-2023-53982 is the compromise of confidentiality and integrity of data stored within Sigb PMB databases. Exploitation can lead to unauthorized disclosure of sensitive information such as user records, bibliographic data, and potentially administrative credentials. This can result in privacy violations, data breaches, and loss of trust. Additionally, attackers might manipulate or corrupt data, affecting the availability and reliability of library services. For European organizations, especially public and academic libraries that rely heavily on PMB for cataloging and user management, this vulnerability poses a significant risk of operational disruption and regulatory non-compliance with GDPR due to potential personal data exposure. The lack of required authentication and ease of exploitation increase the threat level, making it a critical concern for institutions managing large volumes of sensitive data.

To mitigate CVE-2023-53982, organizations should immediately upgrade Sigb PMB to a patched version once available from the vendor. In the absence of an official patch, implement web application firewall (WAF) rules specifically designed to detect and block SQL injection patterns targeting the ajax.php endpoint and the 'id' parameter. Conduct thorough input validation and sanitization on all user-supplied inputs, particularly the 'id' parameter, to neutralize special SQL characters. Restrict direct internet access to the PMB application by placing it behind secure VPNs or internal networks where feasible. Enable database-level protections such as least privilege access for the PMB database user to limit the potential damage of a successful injection. Regularly monitor application logs for suspicious query patterns or abnormal response times indicative of time-based SQL injection attempts. Finally, conduct security awareness training for administrators to recognize and respond to exploitation attempts promptly.