CVE-2023-36338
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inventory_management_system_project | inventory_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-36338 is a SQL Injection vulnerability in the PHP Inventory Management System version 1 by Stemword. It occurs in the login form at `/php-inventory-management-system/index.php` where user input is not properly sanitized before being used in SQL queries. This allows an attacker to manipulate the input to alter SQL commands, potentially gaining unauthorized access to sensitive data or compromising the entire database. [1]
How can this vulnerability impact me? :
A successful exploitation of this vulnerability can lead to unauthorized viewing of user lists, extraction of sensitive information, modification or deletion of database tables, full database compromise, and potentially remote code execution depending on the database configuration. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by intercepting the login request to the vulnerable login form at `/php-inventory-management-system/index.php` and testing it for SQL injection using tools like SQLMap. For example, capture the login request using Burp Suite and save it as `poc.txt`. Then run the command: `python3 sqlmap.py -r poc.txt --random-agent --tamper=space2comment --risk 2 --level 2 --dbms=MySQL -dbs` to enumerate backend MySQL databases and confirm the SQL injection vulnerability. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to sensitive data through SQL injection, which could lead to data breaches involving personal or protected information. Such breaches may result in non-compliance with standards and regulations like GDPR or HIPAA that require protection of sensitive data and proper access controls. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate steps to mitigate this vulnerability include: 1) Avoid using the vulnerable login form at `/php-inventory-management-system/index.php` until a patch is applied. 2) Implement input validation and sanitization on all user inputs, especially in the login form, to prevent SQL injection. 3) Use prepared statements or parameterized queries in the backend to handle SQL commands safely. 4) Monitor and restrict database access to minimize potential damage. 5) If possible, apply any vendor-provided patches or updates addressing this issue. 6) Consider using web application firewalls (WAF) to detect and block SQL injection attempts. 7) Review logs for suspicious activity related to login attempts. These steps help reduce the risk of exploitation while awaiting an official fix. [1]