Lucene search

TwcertCVELIST:CVE-2023-48395

HistoryDec 15, 2023 - 9:27 a.m.

CVE-2023-48395 Kaifa Technology WebITR - SQL Injection

2023-12-1509:27:22

CWE-89

twcert

www.cve.org

cve-2023-48395

kaifa technology

webitr

sql injection

remote attacker

user privilege

arbitrary sql commands

database

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.3%

JSON

Kaifa Technology WebITR is an online attendance system, it has insufficient validation for user input within a special function. A remote attacker with regular user privilege can exploit this vulnerability to inject arbitrary SQL commands to read database.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "WebITR",
    "vendor": "Kaifa Technology",
    "versions": [
      {
        "status": "affected",
        "version": "2_1_0_19"
      }
    ]
  }
]

References

www.twcert.org.tw/tw/cp-132-7625-a0b9c-1.html

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

31.3%

JSON

Related for CVELIST:CVE-2023-48395