CVE-2023-7331
Remote SQL Injection in PKrystian Full-Stack-Bank User Handler
Publication date: 2025-12-31
Last updated on: 2025-12-31
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pkrystian | full-stack-bank | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-7331 is a SQL injection vulnerability in the PKrystian Full-Stack-Bank application, specifically in the User Handler component. It occurs because the application improperly handles user input when constructing SQL queries, allowing a remote attacker with enhanced authentication to manipulate these queries. This can compromise the confidentiality, integrity, and availability of the system by enabling unauthorized database access or modification. The vulnerability is mitigated by applying a patch that replaces vulnerable SQL queries with prepared statements and parameter binding. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to manipulate SQL queries in the User Handler component, potentially leading to unauthorized access to sensitive user data, modification or deletion of data, and disruption of service. This compromises the confidentiality, integrity, and availability of the banking application, which could result in data breaches, financial loss, and loss of user trust. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or suspicious SQL queries that include user input directly concatenated into SQL commands, which may indicate SQL injection attempts. Since the vulnerability affects the User Handler component and involves SQL injection, you can look for anomalous HTTP requests targeting user-related endpoints such as create_user.php, delete_user.php, edit_user.php, and users.php. Specific detection commands are not provided in the resources. However, general detection methods include using web application firewalls (WAF) with SQL injection detection rules, inspecting logs for SQL errors or suspicious input patterns, and employing tools like sqlmap for testing injection points. No explicit commands are given in the provided resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to apply the patch identified by commit 25c9965a872c704f3a9475488dc5d3196902199a available on GitHub. This patch replaces vulnerable SQL queries with prepared statements and parameter binding in key PHP files such as create_user.php, delete_user.php, edit_user.php, and users.php, effectively preventing SQL injection. Additionally, the patch introduces an account number generator to enhance security. Applying this patch will prevent exploitation of the SQL injection vulnerability in the User Handler component. [1, 2, 3]