How to fix CVE-2023-2074?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Validate input sanitization for user-controlled parameters.

Is PHP affected by CVE-2023-2074?

Organizations using A vulnerability should be aware of moderate risk from CVE-2023-2074, a SQL injection vulnerability rated CVSS 6.3. Exploitation could allow attackers to execute code or inject malicious input. Proof-of-concept code is publicly available.

CVE-2023-2074

MEDIUM

2023-04-14 [email protected]

SQLi PHP Online Traffic Offense Management System

6.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

PoC Detected

Mar 17, 2026 - 19:58 vuln.today

Public exploit code

CVE Published

Apr 14, 2023 - 20:15 nvd

MEDIUM 6.3

DescriptionNVD

A vulnerability was found in Campcodes Online Traffic Offense Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Master.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-226052.

AnalysisAI

A SQL injection vulnerability exists in Campcodes Online Traffic Offense Management System version 1.0 within the /classes/Master.php file, where the 'id' parameter is not properly sanitized, allowing authenticated attackers to execute arbitrary SQL queries remotely. An attacker with valid credentials can leverage this vulnerability to read, modify, or delete database contents, potentially compromising sensitive traffic offense records. Public proof-of-concept code is available, increasing real-world exploitation risk.

Technical ContextAI

The vulnerability is a classic SQL injection (CWE-89) flaw in a PHP-based web application built by Campcodes (CPE: cpe:2.3:a:campcodes:online_traffic_offense_management_system:1.0:*:*:*:*:*:*:*). The /classes/Master.php file processes user-supplied input in the 'id' parameter without implementing parameterized queries or input validation, allowing attackers to inject malicious SQL syntax. The PHP application likely uses direct string concatenation or unescaped variable interpolation in SQL statement construction, enabling attackers to break out of intended query context and execute unintended database operations. This is a fundamental input validation failure at the application layer.

RemediationAI

Immediate action should be to contact Campcodes for security patches or updates; if unavailable, consider discontinuing use of version 1.0 or migrating to alternative traffic management systems. As a temporary mitigation, implement database-level access controls restricting the application account to minimal required permissions, deploy a Web Application Firewall (WAF) configured to detect and block SQL injection patterns in the 'id' parameter, and audit all database access logs for suspicious queries. Enforce network segmentation to limit access to the application to trusted administrative users only. Apply parameterized query patching to /classes/Master.php if source code review is feasible internally.

CVE-2023-2074 vulnerability details – vuln.today

Back