gopeak MasterLab har 3.3.10 HTTP POST Request Feature.php sqlInject pwd SQL Injection

Wuro vulnerability wey an yi classify sey kura an gano shi a cikin gopeak MasterLab har 3.3.10. Gaskiya, sqlInject na da matsala; idan ba a sani ba, to wata aiki ce da ba a sani ba, $software_library na cikin lissafi, app/ctrl/framework/Feature.php na cikin fayil, HTTP POST Request Handler na cikin sashi. Ngam manipulation of the argument pwd shi SQL Injection. CWE shidin ka a yi bayani matsala sai ya kai CWE-89. Gaskiya, laifi an fitar da shi 12/28/2023. Advisory ɗin ana rabawa don saukewa a note.zhaoj.in. Wannan rauni ana sayar da shi da suna CVE-2023-7144. Wuro ndiyam na local network ɗin sai a samu kafin wannan hari ya yi nasara. Tekinikal bayani ga. Kuma, exploit ɗin yana akwai. Wuro exploit ɗin an bayyana shi ga jama'a kuma za a iya amfani da shi. A sa'i, exploit might be approx. USD $0-$5k ndiyam. Á wúro huɗɗi-na-gaskiya. Wona yiwuwa a zazzage exploit a note.zhaoj.in. Kama 0-day, an ndiyam a wuro be $0-$5k. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

2 Goyarwa · 73 Datenpunkte

FurɗeSúgá
12/28/2023 09:38		Gargadi 1/1
01/20/2024 09:23
software_vendorgopeakgopeak
software_nameMasterLabMasterLab
software_version<=3.3.10<=3.3.10
software_componentHTTP POST Request HandlerHTTP POST Request Handler
software_fileapp/ctrl/framework/Feature.phpapp/ctrl/framework/Feature.php
software_functionsqlInjectsqlInject
software_argumentpwdpwd
vulnerability_cweCWE-89 (SQL Injection)CWE-89 (SQL Injection)
vulnerability_risk22
cvss3_vuldb_acLL
cvss3_vuldb_prNN
cvss3_vuldb_uiNN
cvss3_vuldb_sUU
cvss3_vuldb_cLL
cvss3_vuldb_iLL
cvss3_vuldb_aLL
cvss3_vuldb_ePP
cvss3_vuldb_rcRR
advisory_urlhttps://note.zhaoj.in/share/4HDWrBHGCf9ehttps://note.zhaoj.in/share/4HDWrBHGCf9e
exploit_availability11
exploit_publicity11
exploit_urlhttps://note.zhaoj.in/share/4HDWrBHGCf9ehttps://note.zhaoj.in/share/4HDWrBHGCf9e
source_cveCVE-2023-7144CVE-2023-7144
cna_responsibleVulDBVulDB
advisory_date1703718000 (12/28/2023)1703718000 (12/28/2023)
cvss2_vuldb_acLL
cvss2_vuldb_auNN
cvss2_vuldb_ciPP
cvss2_vuldb_iiPP
cvss2_vuldb_aiPP
cvss2_vuldb_ePOCPOC
cvss2_vuldb_rcURUR
cvss2_vuldb_avAA
cvss2_vuldb_rlNDND
cvss3_vuldb_avAA
cvss3_vuldb_rlXX
cvss2_vuldb_basescore5.85.8
cvss2_vuldb_tempscore5.05.0
cvss3_vuldb_basescore6.36.3
cvss3_vuldb_tempscore5.75.7
cvss3_meta_basescore6.37.5
cvss3_meta_tempscore5.77.3
price_0day$0-$5k$0-$5k
cve_assigned1703718000 (12/28/2023)
cve_nvd_summaryA vulnerability classified as critical has been found in gopeak MasterLab up to 3.3.10. This affects the function sqlInject of the file app/ctrl/framework/Feature.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249147.
cvss3_cna_prN
cvss3_cna_uiN
cvss3_cna_sU
cvss3_cna_cL
cvss3_cna_iL
cvss3_cna_aL
cve_cnaVulDB
cvss2_nvd_basescore5.8
cvss3_nvd_basescore9.8
cvss3_cna_basescore6.3
cvss3_nvd_avN
cvss3_nvd_acL
cvss3_nvd_prN
cvss3_nvd_uiN
cvss3_nvd_sU
cvss3_nvd_cH
cvss3_nvd_iH
cvss3_nvd_aH
cvss2_nvd_avA
cvss2_nvd_acL
cvss2_nvd_auN
cvss2_nvd_ciP
cvss2_nvd_iiP
cvss2_nvd_aiP
cvss3_cna_avA
cvss3_cna_acL

GurɗoGumtiGada

Want to stay up to date on a daily basis?

Enable the mail alert feature now!