Platform
php
Component
voovi-social-networking-script
Fixed in
1.0.1
CVE-2023-6418 represents a critical SQL injection vulnerability discovered in Voovi Social Networking Script versions 1.0. This flaw allows a remote attacker to inject malicious SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability resides in the videos.php file, specifically within the id parameter. A patch is available in version 1.0.1.
Successful exploitation of CVE-2023-6418 could grant an attacker complete access to the database underlying the Voovi Social Networking Script. This includes the ability to read, modify, or delete any data stored within the database. Sensitive information such as user credentials, personal data, and potentially even administrative configurations could be compromised. The impact is particularly severe as the vulnerability is remotely exploitable, requiring no authentication. An attacker could leverage this to gain persistent access to the system and potentially pivot to other connected resources, expanding the blast radius of the attack.
CVE-2023-6418 was publicly disclosed on 2023-11-30. While no active exploitation campaigns have been definitively linked to this vulnerability, the CRITICAL severity and ease of exploitation suggest it is a high-priority target for malicious actors. No public proof-of-concept exploits are currently available, but the simplicity of SQL injection vulnerabilities often leads to rapid development of such tools. The vulnerability is not currently listed on CISA KEV.
Exploit Status
EPSS
0.18% (39% percentile)
CVSS Vector
The primary mitigation for CVE-2023-6418 is to immediately upgrade Voovi Social Networking Script to version 1.0.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL queries targeting the videos.php endpoint, specifically focusing on the id parameter. Input validation and sanitization on the server-side are also crucial to prevent SQL injection attacks. Thoroughly review and harden database user permissions to limit the potential damage from a successful injection. After upgrade, confirm the vulnerability is resolved by attempting a SQL injection attack on the videos.php endpoint and verifying that the request is properly sanitized.
Update to a patched version or discontinue use of the script. Implement input validation and sanitization in the 'id' parameter of videos.php to prevent (SQL Injection). Consider using prepared statements or an ORM to mitigate the risk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-6418 is a critical SQL injection vulnerability affecting Voovi Social Networking Script versions 1.0. Attackers can inject malicious SQL code via the 'id' parameter in videos.php, potentially gaining unauthorized access to the database.
You are affected if you are using Voovi Social Networking Script version 1.0. Upgrade to version 1.0.1 or later to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1 or later. As a temporary workaround, implement a WAF rule to filter malicious SQL queries targeting videos.php.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation suggest it is a high-priority target for attackers.
Refer to the vendor's official advisory for the most up-to-date information and security recommendations. Check the Voovi website or relevant security forums for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.