CVE-2024-40479 identifies a SQL injection vulnerability in the Kashipara Online Exam System version 1.0, located in the /admin/quizquestion.php script. The vulnerability arises from improper sanitization of the 'eid' parameter, which is used to query the backend database. An attacker with low privileges (PR:L) can remotely send crafted SQL commands through this parameter, enabling arbitrary SQL execution. The vulnerability requires no user interaction (UI:N) and can be exploited over the network (AV:N). The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component. The CVSS score of 8.1 reflects high confidentiality and integrity impact, as attackers could extract sensitive exam data or alter records, but availability remains unaffected (A:N). The weakness corresponds to CWE-89, a classic SQL injection flaw. No patches or fixes have been published yet, and no active exploitation has been reported. However, the vulnerability represents a critical risk for exam systems that handle sensitive academic data and user credentials, potentially allowing attackers to compromise exam integrity and privacy.

The primary impact of this vulnerability is unauthorized disclosure and modification of sensitive data within the Kashipara Online Exam System. Attackers could extract confidential exam questions, student information, or manipulate exam results, undermining academic integrity. This could lead to reputational damage, regulatory penalties, and loss of trust for educational institutions using the system. Although availability is not directly affected, the integrity compromise could disrupt exam processes and require costly remediation. The vulnerability also increases the attack surface for further exploitation, such as privilege escalation or lateral movement within the network. Organizations worldwide that rely on this system or similar vulnerable platforms face risks of data breaches and operational disruption.

Since no official patches are available, organizations should immediately implement strict input validation and parameterized queries to sanitize the 'eid' parameter and other user inputs. Employing Web Application Firewalls (WAFs) with SQL injection detection rules can provide temporary protection. Restrict access to the /admin/quizquestion.php endpoint to trusted IP addresses or VPNs to reduce exposure. Conduct thorough code reviews and security testing to identify and remediate similar injection points. Monitor logs for suspicious SQL query patterns indicative of injection attempts. Educate developers on secure coding practices to prevent recurrence. Plan for prompt patch deployment once an official fix is released by the vendor. Additionally, consider isolating the exam system database with least privilege principles to limit damage in case of exploitation.