How to fix CVE-2023-2075?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Validate input sanitization for user-controlled parameters.

Is PHP affected by CVE-2023-2075?

Organizations using A vulnerability classified as critical should be aware of moderate risk from CVE-2023-2075, a SQL injection vulnerability rated CVSS 6.3. Exploitation could allow attackers to execute code or inject malicious input. Proof-of-concept code is publicly available.

CVE-2023-2075

MEDIUM

2023-04-14 [email protected]

SQLi PHP Online Traffic Offense Management System

6.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 17, 2026 - 20:45 vuln.today

PoC Detected

Mar 17, 2026 - 19:59 vuln.today

Public exploit code

CVE Published

Apr 14, 2023 - 20:15 nvd

MEDIUM 6.3

DescriptionNVD

A vulnerability classified as critical has been found in Campcodes Online Traffic Offense Management System 1.0. This affects an unknown part of the file /admin/offenses/view_details.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-226053 was assigned to this vulnerability.

AnalysisAI

A SQL injection vulnerability exists in Campcodes Online Traffic Offense Management System version 1.0, specifically in the /admin/offenses/view_details.php file where the 'id' parameter is improperly sanitized. An authenticated attacker with low privileges can exploit this remotely without user interaction to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. A public proof-of-concept has been disclosed, though the EPSS score of 0.07% (20th percentile) suggests real-world exploitation remains relatively unlikely despite the theoretical severity.

Technical ContextAI

This vulnerability is rooted in CWE-89 (SQL Injection), a classic input validation flaw in PHP-based web applications where user-supplied input is directly concatenated into SQL queries without proper parameterization or escaping. The affected product is Campcodes Online Traffic Offense Management System version 1.0 (CPE: cpe:2.3:a:campcodes:online_traffic_offense_management_system:1.0:*:*:*:*:*:*:*), a PHP-based traffic offense management system. The vulnerable endpoint /admin/offenses/view_details.php fails to use prepared statements or bound parameters when processing the 'id' argument, allowing attackers who have authenticated access to inject arbitrary SQL syntax that executes within the database context of the application.

RemediationAI

The primary remediation is to upgrade Campcodes Online Traffic Offense Management System beyond version 1.0 if a patched version is available; however, no specific patch version or vendor advisory URL is documented in the available references. Organizations should contact Campcodes directly or monitor VulDB (https://vuldb.com/?id.226053) for patch availability. As an interim mitigation, implement input validation and prepared statements in the /admin/offenses/view_details.php file to sanitize the 'id' parameter using parameterized queries (e.g., prepared statements in PHP PDO or MySQLi). Additionally, enforce principle of least privilege for database accounts, restrict admin panel access to trusted IP ranges, and implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in the 'id' parameter.

CVE-2023-2075 vulnerability details – vuln.today

Back