A high-severity vulnerability exists within the feedback form of the Online-Exam-System and potentially other products. This flaw, a time-based blind SQL injection, allows an unauthenticated attacker to manipulate the database and steal sensitive information, such as user password hashes. Successful exploitation could lead to a complete compromise of the application's database, resulting in a significant data breach.

The application's feedback form fails to properly sanitize user-supplied input before incorporating it into a database query. An attacker can submit specially crafted input containing malicious SQL commands. Because this is a "blind" SQL injection, the application does not directly return data or errors; instead, the attacker uses time-based commands (e.g., SLEEP() or WAITFOR DELAY) to force the database to pause for a specific duration based on true/false conditions. By measuring the server's response time, the attacker can infer information one character at a time, allowing for the methodical exfiltration of the entire database, including sensitive password hashes.

This vulnerability is rated as High severity with a CVSS score of 8.2. Exploitation could lead to a complete compromise of the underlying database, exposing all stored data. The primary business impact is a severe data breach, including the theft of user credentials (password hashes), which could grant attackers access to user accounts. This can result in significant reputational damage, loss of customer trust, and potential financial and legal repercussions related to data privacy regulations.

Immediate Action:

• Apply Patches: Immediately deploy the security patches provided by the vendor to fix the root cause of the vulnerability.
• Review Access Controls: Audit database user permissions to ensure the web application's account adheres to the principle of least privilege, limiting the potential impact of a compromise.
• Enable Logging: Activate and monitor detailed database query logging to detect and investigate suspicious queries indicative of an attack.

Proactive Monitoring:

• Monitor web application logs for unusually long response times or malformed requests targeting the feedback form.
• Analyze database logs for queries containing time-delay functions (e.g., SLEEP, BENCHMARK, WAITFOR DELAY) or other common SQL injection payloads.
• Utilize network monitoring to flag connections with abnormally high latency patterns, which could indicate a time-based exfiltration attempt.

Compensating Controls:

• Implement a Web Application Firewall (WAF) with a ruleset configured to detect and block SQL injection attacks.
• If possible, enforce strict input validation and parameterization at the application layer as an interim measure until patching can be completed.
• Restrict access to the feedback form to authenticated users only to reduce the attack surface from unauthenticated attackers.

Public Exploit Available: true

Given the high CVSS score of 8.2 and the potential for a complete database compromise, this vulnerability requires immediate attention. The primary recommendation is to apply the vendor-supplied patches across all affected systems without delay. Due to the wide availability of exploitation tools for this vulnerability class, organizations should treat this as a critical priority, even in the absence of a CISA KEV listing.