A critical vulnerability has been identified in the Online Artwork and Fine Arts MCA Project, which could allow a remote attacker to compromise the application's database. This flaw, a SQL injection, enables an unauthenticated attacker to steal, modify, or delete sensitive data, potentially leading to a complete system compromise. Organizations using the affected software are urged to apply the vendor's patch immediately to prevent data breaches and unauthorized access.

The vulnerability is a SQL injection flaw found in the cancel_booking.php page. The application fails to properly sanitize user-supplied input to the id2 parameter before using it in a database query. A remote, unauthenticated attacker can exploit this by crafting a malicious request containing specially formed SQL commands within the id2 parameter, which are then executed by the backend database. Successful exploitation could allow an attacker to bypass authentication, exfiltrate the entire database, modify or delete records, and in some configurations, execute commands on the underlying operating system.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation of this flaw could have a severe impact on the business, leading to a significant data breach of sensitive user information, financial records, or proprietary artwork data. The loss of data integrity could disrupt business operations, while a public breach could result in severe reputational damage, loss of customer trust, and potential regulatory fines. Given the low complexity of the attack, the risk of exploitation is high.

Immediate Action: Immediately update the Online Artwork and Fine Arts MCA Project to the latest version provided by the vendor, which addresses this vulnerability. After patching, it is crucial to monitor for any signs of past or ongoing exploitation attempts by reviewing access logs for suspicious activity targeting the cancel_booking.php page.

Proactive Monitoring: Implement enhanced logging and monitoring for the web application. Specifically, monitor web server access logs for requests to cancel_booking.php containing SQL keywords (e.g., UNION, SELECT, ', --, SLEEP) or an unusual syntax in the id2 parameter. Monitor database logs for unexpected queries, errors, or unusually high activity originating from the web server.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with a strict ruleset designed to detect and block SQL injection attacks. Restrict access to the application from untrusted networks and ensure the database user account used by the application operates with the principle of least privilege, limiting an attacker's ability to escalate access or damage the system.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability represents a significant and immediate risk to the organization. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patch across all affected systems without delay. Although this vulnerability is not currently on the CISA KEV list, its high severity makes it a likely candidate for future inclusion. Until patching is complete, organizations must implement the recommended compensating controls and proactive monitoring to detect and block potential exploitation attempts.