A high-severity vulnerability exists within the feedback module of multiple Online Exam System products, allowing for a SQL injection attack. An unauthenticated attacker can exploit this flaw to manipulate the application's database, potentially leading to the unauthorized access, modification, or theft of sensitive information such as student data, exam results, and administrative credentials.

The application's feedback module contains a SQL injection vulnerability due to insufficient input sanitization of the 'fid' parameter. An attacker can send a specially crafted request containing malicious SQL commands within the 'fid' parameter. Because the application incorporates this user-supplied data directly into a database query, the attacker's commands are executed by the database, allowing them to bypass security controls and interact directly with the underlying database.

This vulnerability is rated as High severity with a CVSS score of 8.2, posing a significant risk to the organization. Successful exploitation could lead to a severe data breach, compromising the confidentiality, integrity, and availability of the system. For an online exam platform, this could result in the theft of student personal information, alteration of grades, leakage of confidential exam questions, and reputational damage to the institution. The compromise of administrative credentials could allow an attacker to gain full control over the system, leading to widespread disruption.

Immediate Action:

• Apply Patches: Immediately deploy the security patches provided by the vendor to fix the root cause of the vulnerability.
• Review Access Controls: Audit the database user account used by the application. Ensure it operates under the principle of least privilege, with permissions restricted only to the necessary database operations.
• Enable Logging: Activate and monitor detailed database query logging. This will help in detecting potential exploitation attempts and aid in forensic analysis if a compromise is suspected.

Proactive Monitoring:

• Monitor web server and application logs for unusual requests targeting the feedback module, specifically looking for malformed or suspicious syntax in the 'fid' parameter.
• Analyze database logs for unexpected queries, errors, or queries that deviate from normal application behavior.
• Use a Web Application Firewall (WAF) to monitor and block traffic matching known SQL injection signatures.

Compensating Controls:

• Web Application Firewall (WAF): If patching is delayed, implement or configure a WAF with strict rules to detect and block SQL injection attack patterns against the 'fid' parameter.
• Input Validation: As a temporary measure, implement server-side validation to strictly sanitize and validate all data passed through the 'fid' parameter, allowing only expected data types and formats.
• Database Segmentation: Isolate the database server on a secure network segment to limit an attacker's ability to move laterally if the database is compromised.

Public Exploit Available: True

Given the High severity (CVSS 8.2) of this vulnerability and the critical nature of the data managed by an Online Exam System, immediate action is required. Although this CVE is not on the CISA KEV list, the ease of exploitation and potential for significant data compromise present a clear and present danger. We strongly recommend that organizations prioritize the immediate application of vendor patches. If patching is not feasible, the compensating controls outlined above, particularly the use of a WAF, should be implemented without delay to mitigate risk.