CVE-2023-53935
Unknown Unknown - Not Provided
SQL Injection in WBiz Desk 1.2 Allows Data Extraction

Publication date: 2025-12-18

Last updated on: 2025-12-18

Assigner: VulnCheck

Description
WBiz Desk 1.2 contains a SQL injection vulnerability that allows non-admin users to manipulate database queries through the 'tk' parameter in ticket.php. Attackers can inject crafted SQL statements using UNION-based techniques to extract sensitive database information by sending malformed requests to the ticket endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-19
EPSS Evaluated
2026-06-14
NVD
CVE-2023-53935
EUVD
EUVD-2025-204350
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wbiz desk 1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not specify how this SQL injection vulnerability in WBiz Desk affects compliance with common standards and regulations such as GDPR or HIPAA. Therefore, the impact on compliance cannot be determined from the given information.

Executive Summary

CVE-2023-53935 is a SQL injection vulnerability in WBiz Desk version 1.2, specifically in the ticket.php file through the 'tk' parameter. It allows non-admin users to inject malicious SQL code using UNION-based techniques by sending specially crafted requests to the ticket endpoint. This enables attackers to manipulate database queries and extract sensitive information from the database. [2, 3]

Impact Analysis

This vulnerability can allow an attacker with normal user privileges to extract sensitive database information without authorization. It poses a risk of unauthorized data exposure and potential manipulation of database content, compromising confidentiality and integrity of the system's data. [2, 3]

Detection Guidance

This vulnerability can be detected by sending crafted HTTP requests to the ticket.php endpoint, specifically targeting the 'tk' parameter with SQL injection payloads. For example, using curl to test for SQL injection: curl -v 'http://target-site/ticket.php?tk=1' and then curl -v 'http://target-site/ticket.php?tk=1 UNION SELECT ...' to observe if the response reveals database information or errors indicating SQL injection. Monitoring web server logs for unusual or malformed requests to ticket.php with suspicious 'tk' parameter values can also help detect exploitation attempts. [2, 3]

Mitigation Strategies

Immediate mitigation steps include restricting or validating input on the 'tk' parameter in ticket.php to prevent SQL injection, such as implementing prepared statements or parameterized queries. Limiting user privileges to the minimum necessary and monitoring for suspicious activity on the ticket endpoint are also recommended. If possible, apply patches or updates from the vendor addressing this vulnerability. Additionally, consider implementing web application firewall (WAF) rules to block SQL injection attempts targeting the 'tk' parameter. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53935. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart