Lucene search

GoogleOSV:CVE-2023-36284

HistoryJun 23, 2023 - 4:15 p.m.

CVE-2023-36284

2023-06-2316:15:09

Google

osv.dev

cve-2023-36284

unauthenticated

webkul qloapps

sql injection

remote attacker

authentication bypass

authorization bypass

database retrieval

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

8.6 High

AI Score

Confidence

Low

0.007 Low

EPSS

Percentile

80.7%

JSON

An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to bypass a web application’s authentication and authorization mechanisms and retrieve the contents of an entire database.

CPENameOperatorVersion
hotelcommerceeq1.4.0
hotelcommerceeq1.6.0
hotelcommerceeq1.5.0
hotelcommerceeq1.3.0
hotelcommerceeq0.3
hotelcommerceeq1.4.1
hotelcommerceeq1.3.1
hotelcommerceeq1.5.1
hotelcommerceeq1.3.2
hotelcommerceeq1.5.2

Name	Operator	Version
hotelcommerce	eq	1.4.0
hotelcommerce	eq	1.6.0
hotelcommerce	eq	1.5.0
hotelcommerce	eq	1.3.0
hotelcommerce	eq	0.3
hotelcommerce	eq	1.4.1
hotelcommerce	eq	1.3.1
hotelcommerce	eq	1.5.1
hotelcommerce	eq	1.3.2
hotelcommerce	eq	1.5.2

References

flashy-lemonade-192.notion.site/Time-Based-SQL-injection-in-QloApps-1-6-0-0-be3ed1bdaf784a77b45dc6898a2de17e?pvs=4

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

8.6 High

AI Score

Confidence

Low

0.007 Low

EPSS

Percentile

80.7%

JSON

Related for OSV:CVE-2023-36284