In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 10-11, 2023.
During this period, The National Vulnerability Database published 24, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 0
High: 6
Medium: 8
Low: 1
Severity Not Assigned: 9
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-6647
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in AMTT HiBOS 1.0. Affected by this issue is some unknown functionality. The manipulation of the argument Type leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247340. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/gatsby2003/Sqlinjection/blob/main/sql.md
https://vuldb.com/?ctiid.247340
https://vuldb.com/?id.247340
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-6648
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, was found in PHPGurukul Nipah Virus Testing Management System 1.0. This affects an unknown part of the file password-recovery.php. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247341 was assigned to this vulnerability.
References: https://github.com/dhabaleshwar/niv_testing_sqliforgotpassword/blob/main/exploit.md
https://vuldb.com/?ctiid.247341
https://vuldb.com/?id.247341
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-6651
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in code-projects Matrimonial Site 1.0. It has been classified as critical. Affected is an unknown function of the file /auth/auth.php?user=1. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247344.
References: https://github.com/850362564/BugHub/blob/main/Matrimonial%20Site%20System%20auth.php%20has%20Sqlinjection.pdf
https://vuldb.com/?ctiid.247344
https://vuldb.com/?id.247344
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-6652
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in code-projects Matrimonial Site 1.0. It has been declared as critical. Affected by this vulnerability is the function register of the file /register.php. The manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247345 was assigned to this vulnerability.
References: https://github.com/sweatxi/BugHub/blob/main/Matrimonial%20Site%20System%20functions.php%20%20has%20Sqlinjection.pdf
https://vuldb.com/?ctiid.247345
https://vuldb.com/?id.247345
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-6655
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.
References: https://github.com/willchen0011/cve/blob/main/HongJing-sql.md
https://vuldb.com/?ctiid.247358
https://vuldb.com/?id.247358
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-5869
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.
References: https://access.redhat.com/errata/RHSA-2023:7545
https://access.redhat.com/errata/RHSA-2023:7579
https://access.redhat.com/errata/RHSA-2023:7580
https://access.redhat.com/errata/RHSA-2023:7581
https://access.redhat.com/errata/RHSA-2023:7616
https://access.redhat.com/errata/RHSA-2023:7656
https://access.redhat.com/errata/RHSA-2023:7666
https://access.redhat.com/errata/RHSA-2023:7667
https://access.redhat.com/errata/RHSA-2023:7694
https://access.redhat.com/errata/RHSA-2023:7695
https://access.redhat.com/security/cve/CVE-2023-5869
https://bugzilla.redhat.com/show_bug.cgi?id=2247169
https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/
https://www.postgresql.org/support/security/CVE-2023-5869/
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 10-11, 2023.
During this period, The National Vulnerability Database published 24, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 0
High: 6
Medium: 8
Low: 1
Severity Not Assigned: 9
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-6647
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in AMTT HiBOS 1.0. Affected by this issue is some unknown functionality. The manipulation of the argument Type leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247340. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References: https://github.com/gatsby2003/Sqlinjection/blob/main/sql.md
https://vuldb.com/?ctiid.247340
https://vuldb.com/?id.247340
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-6648
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, was found in PHPGurukul Nipah Virus Testing Management System 1.0. This affects an unknown part of the file password-recovery.php. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247341 was assigned to this vulnerability.
References: https://github.com/dhabaleshwar/niv_testing_sqliforgotpassword/blob/main/exploit.md
https://vuldb.com/?ctiid.247341
https://vuldb.com/?id.247341
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-6651
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in code-projects Matrimonial Site 1.0. It has been classified as critical. Affected is an unknown function of the file /auth/auth.php?user=1. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-247344.
References: https://github.com/850362564/BugHub/blob/main/Matrimonial%20Site%20System%20auth.php%20has%20Sqlinjection.pdf
https://vuldb.com/?ctiid.247344
https://vuldb.com/?id.247344
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-6652
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability was found in code-projects Matrimonial Site 1.0. It has been declared as critical. Affected by this vulnerability is the function register of the file /register.php. The manipulation leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-247345 was assigned to this vulnerability.
References: https://github.com/sweatxi/BugHub/blob/main/Matrimonial%20Site%20System%20functions.php%20%20has%20Sqlinjection.pdf
https://vuldb.com/?ctiid.247345
https://vuldb.com/?id.247345
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-6655
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.
References: https://github.com/willchen0011/cve/blob/main/HongJing-sql.md
https://vuldb.com/?ctiid.247358
https://vuldb.com/?id.247358
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-5869
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.
References: https://access.redhat.com/errata/RHSA-2023:7545
https://access.redhat.com/errata/RHSA-2023:7579
https://access.redhat.com/errata/RHSA-2023:7580
https://access.redhat.com/errata/RHSA-2023:7581
https://access.redhat.com/errata/RHSA-2023:7616
https://access.redhat.com/errata/RHSA-2023:7656
https://access.redhat.com/errata/RHSA-2023:7666
https://access.redhat.com/errata/RHSA-2023:7667
https://access.redhat.com/errata/RHSA-2023:7694
https://access.redhat.com/errata/RHSA-2023:7695
https://access.redhat.com/security/cve/CVE-2023-5869
https://bugzilla.redhat.com/show_bug.cgi?id=2247169
https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/
https://www.postgresql.org/support/security/CVE-2023-5869/
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found