PHP
CVE-2023-2075
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability classified as critical has been found in Campcodes Online Traffic Offense Management System 1.0. This affects an unknown part of the file /admin/offenses/view_details.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-226053 was assigned to this vulnerability.
AnalysisAI
A SQL injection vulnerability exists in Campcodes Online Traffic Offense Management System version 1.0, specifically in the /admin/offenses/view_details.php file where the 'id' parameter is improperly sanitized. An authenticated attacker with low privileges can exploit this remotely without user interaction to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. A public proof-of-concept has been disclosed, though the EPSS score of 0.07% (20th percentile) suggests real-world exploitation remains relatively unlikely despite the theoretical severity.
Technical ContextAI
This vulnerability is rooted in CWE-89 (SQL Injection), a classic input validation flaw in PHP-based web applications where user-supplied input is directly concatenated into SQL queries without proper parameterization or escaping. The affected product is Campcodes Online Traffic Offense Management System version 1.0 (CPE: cpe:2.3:a:campcodes:online_traffic_offense_management_system:1.0:*:*:*:*:*:*:*), a PHP-based traffic offense management system. The vulnerable endpoint /admin/offenses/view_details.php fails to use prepared statements or bound parameters when processing the 'id' argument, allowing attackers who have authenticated access to inject arbitrary SQL syntax that executes within the database context of the application.
RemediationAI
The primary remediation is to upgrade Campcodes Online Traffic Offense Management System beyond version 1.0 if a patched version is available; however, no specific patch version or vendor advisory URL is documented in the available references. Organizations should contact Campcodes directly or monitor VulDB (https://vuldb.com/?id.226053) for patch availability. As an interim mitigation, implement input validation and prepared statements in the /admin/offenses/view_details.php file to sanitize the 'id' parameter using parameterized queries (e.g., prepared statements in PHP PDO or MySQLi). Additionally, enforce principle of least privilege for database accounts, restrict admin panel access to trusted IP ranges, and implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the 'id' parameter.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today