CVE-2023-7331

Unknown Unknown - Not Provided

Remote SQL Injection in PKrystian Full-Stack-Bank User Handler

Publication date: 2025-12-31

Last updated on: 2025-12-31

Assigner: VulDB

Description

A vulnerability was detected in PKrystian Full-Stack-Bank up to bf73a0179e3ff07c0d7dc35297cea0be0e5b1317. This vulnerability affects unknown code of the component User Handler. Performing manipulation results in sql injection. It is possible to initiate the attack remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 25c9965a872c704f3a9475488dc5d3196902199a. It is suggested to install a patch to address this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2025-12-31

Last Modified

2025-12-31

Generated

2026-06-16

AI Q&A

2025-12-31

EPSS Evaluated

2026-06-14

NVD

CVE-2023-7331

Affected Vendors & Products

Vendor	Product	Version / Range
pkrystian	full-stack-bank	*

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-74	The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE-74

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

Executive Summary

CVE-2023-7331 is a SQL injection vulnerability in the PKrystian Full-Stack-Bank application, specifically in the User Handler component. It occurs because the application improperly handles user input when constructing SQL queries, allowing a remote attacker with enhanced authentication to manipulate these queries. This can compromise the confidentiality, integrity, and availability of the system by enabling unauthorized database access or modification. The vulnerability is mitigated by applying a patch that replaces vulnerable SQL queries with prepared statements and parameter binding. [1, 2, 3]

Impact Analysis

This vulnerability can allow a remote attacker to manipulate SQL queries in the User Handler component, potentially leading to unauthorized access to sensitive user data, modification or deletion of data, and disruption of service. This compromises the confidentiality, integrity, and availability of the banking application, which could result in data breaches, financial loss, and loss of user trust. [1]

Detection Guidance

This vulnerability can be detected by monitoring for unusual or suspicious SQL queries that include user input directly concatenated into SQL commands, which may indicate SQL injection attempts. Since the vulnerability affects the User Handler component and involves SQL injection, you can look for anomalous HTTP requests targeting user-related endpoints such as create_user.php, delete_user.php, edit_user.php, and users.php. Specific detection commands are not provided in the resources. However, general detection methods include using web application firewalls (WAF) with SQL injection detection rules, inspecting logs for SQL errors or suspicious input patterns, and employing tools like sqlmap for testing injection points. No explicit commands are given in the provided resources.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to apply the patch identified by commit 25c9965a872c704f3a9475488dc5d3196902199a available on GitHub. This patch replaces vulnerable SQL queries with prepared statements and parameter binding in key PHP files such as create_user.php, delete_user.php, edit_user.php, and users.php, effectively preventing SQL injection. Additionally, the patch introduces an account number generator to enhance security. Applying this patch will prevent exploitation of the SQL injection vulnerability in the User Handler component. [1, 2, 3]

Hi! I’m here to help you understand CVE-2023-7331. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2023-7331

Remote SQL Injection in PKrystian Full-Stack-Bank User Handler

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart