Impact
The vulnerability is a classic SQL injection in the Prog Management System that permits unauthenticated remote attackers to inject arbitrary SQL. This flaw can be used to read any data stored in the database, compromising confidentiality through a direct database-level weakness identified as CWE-89.
Affected Systems
The affected product is PROG MIS's Prog Management System. No specific version numbers are disclosed in the advisory. All deployments of this product should be examined for the presence of this vulnerability.
Risk and Exploitability
The issue carries a CVSS score of 8.7, indicating high severity. The EPSS score of less than 1% suggests a low probability of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. However, the lack of authentication requirement and remote nature of the attack vector mean that an attacker can potentially trigger the flaw from any network location that can reach the application’s exposed interfaces. The exploitation would involve submitting a crafted HTTP request or form, leading to data exfiltration.
OpenCVE Enrichment