Lucene search

[email protected]CVE-2024-0523

HistoryJan 14, 2024 - 11:15 p.m.

CVE-2024-0523

2024-01-1423:15:28

CWE-89

[email protected]

web.nvd.nist.gov

cmseasy

vulnerability

remote

sql injection

getslide_child_action

library

nvd

cve-2024-0523

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.5%

JSON

A vulnerability was found in CmsEasy up to 7.7.7. It has been declared as critical. Affected by this vulnerability is the function getslide_child_action in the library lib/admin/language_admin.php. The manipulation of the argument sid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250693 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected configurations

Vulners

NVD

Node

cmseasycmseasyMatch7.7.0

cmseasycmseasyMatch7.7.1

cmseasycmseasyMatch7.7.2

cmseasycmseasyMatch7.7.3

cmseasycmseasyMatch7.7.4

cmseasycmseasyMatch7.7.5

cmseasycmseasyMatch7.7.6

cmseasycmseasyMatch7.7.7

VendorProductVersionCPE
cmseasycmseasy7.7.0cpe:2.3:a:cmseasy:cmseasy:7.7.0:*:*:*:*:*:*:*
cmseasycmseasy7.7.1cpe:2.3:a:cmseasy:cmseasy:7.7.1:*:*:*:*:*:*:*
cmseasycmseasy7.7.2cpe:2.3:a:cmseasy:cmseasy:7.7.2:*:*:*:*:*:*:*
cmseasycmseasy7.7.3cpe:2.3:a:cmseasy:cmseasy:7.7.3:*:*:*:*:*:*:*
cmseasycmseasy7.7.4cpe:2.3:a:cmseasy:cmseasy:7.7.4:*:*:*:*:*:*:*
cmseasycmseasy7.7.5cpe:2.3:a:cmseasy:cmseasy:7.7.5:*:*:*:*:*:*:*
cmseasycmseasy7.7.6cpe:2.3:a:cmseasy:cmseasy:7.7.6:*:*:*:*:*:*:*
cmseasycmseasy7.7.7cpe:2.3:a:cmseasy:cmseasy:7.7.7:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cmseasy	cmseasy	7.7.0	cpe:2.3:a:cmseasy:cmseasy:7.7.0:::::::*
cmseasy	cmseasy	7.7.1	cpe:2.3:a:cmseasy:cmseasy:7.7.1:::::::*
cmseasy	cmseasy	7.7.2	cpe:2.3:a:cmseasy:cmseasy:7.7.2:::::::*
cmseasy	cmseasy	7.7.3	cpe:2.3:a:cmseasy:cmseasy:7.7.3:::::::*
cmseasy	cmseasy	7.7.4	cpe:2.3:a:cmseasy:cmseasy:7.7.4:::::::*
cmseasy	cmseasy	7.7.5	cpe:2.3:a:cmseasy:cmseasy:7.7.5:::::::*
cmseasy	cmseasy	7.7.6	cpe:2.3:a:cmseasy:cmseasy:7.7.6:::::::*
cmseasy	cmseasy	7.7.7	cpe:2.3:a:cmseasy:cmseasy:7.7.7:::::::*

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "CmsEasy",
    "versions": [
      {
        "version": "7.7.0",
        "status": "affected"
      },
      {
        "version": "7.7.1",
        "status": "affected"
      },
      {
        "version": "7.7.2",
        "status": "affected"
      },
      {
        "version": "7.7.3",
        "status": "affected"
      },
      {
        "version": "7.7.4",
        "status": "affected"
      },
      {
        "version": "7.7.5",
        "status": "affected"
      },
      {
        "version": "7.7.6",
        "status": "affected"
      },
      {
        "version": "7.7.7",
        "status": "affected"
      }
    ]
  }
]

References

github.com/V3geD4g/cmseasy_vul/blob/main/SQL1-EN.md

vuldb.com/?ctiid.250693

vuldb.com/?id.250693

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.5%

JSON

Related for CVE-2024-0523

cvelist1 nvd1 prion1