Lucene search

Fluid AttacksVULNRICHMENT:CVE-2023-5004

HistorySep 28, 2023 - 8:40 p.m.

CVE-2023-5004 Hospital-management-system-in-php 378c157 - Blind SQL Injection

2023-09-2820:40:58

CWE-89

Fluid Attacks

github.com

hospital management system

blind sql injection

authentication bypass

vulnerable

version 378c157

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

Low

SSVC

Exploitation

poc

Automatable

yes

Technical Impact

total

JSON

Hospital management system version 378c157 allows to bypass authentication.

This is possible because the application is vulnerable to SQLI.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:projectworlds:hospital_management_system_in_php:2018-06-17:*:*:*:*:*:*:*"
    ],
    "vendor": "projectworlds",
    "product": "hospital_management_system_in_php",
    "versions": [
      {
        "status": "affected",
        "version": "2018-06-17"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

fluidattacks.com/advisories/alcocer

github.com/projectworldsofficial/hospital-management-system-in-php/

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.9

Confidence

Low

SSVC

Exploitation

poc

Automatable

yes

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2023-5004