CVE-2023-3449 - OpenCVE

A vulnerability has been found in IBOS OA 4.5.5 and classified as critical. This vulnerability affects the function actionExport of the file ?r=recruit/interview/export&interviews=x of the component Interview Management Export. The manipulation of the argument interviews leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-232546 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:A/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Ibos	Ibos

Configuration 1 [-]

cpe:2.3:a:ibos:ibos:4.5.5:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/MinimoAgoni/cve/blob/main/iboa%20oa.md	Exploit Third Party Advisory
https://vuldb.com/?ctiid.232546	Permissions Required Third Party Advisory VDB Entry
https://vuldb.com/?id.232546	Permissions Required Third Party Advisory VDB Entry

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: VulDB

Published: 2023-06-28T17:31:02.974Z

Updated: 2023-10-23T13:46:37.455Z

Reserved: 2023-06-28T17:16:00.316Z

Link: CVE-2023-3449

JSON object: View

NVD Information

Status : Modified

Published: 2023-06-28T18:15:16.607

Modified: 2024-05-17T02:27:29.940

Link: CVE-2023-3449

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-3449", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2023-06-28T17:16:00.316Z", "datePublished": "2023-06-28T17:31:02.974Z", "dateUpdated": "2023-10-23T13:46:37.455Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2023-10-23T13:46:37.455Z"}, "title": "IBOS OA Interview Management Export export&interviews=x actionExport sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 SQL Injection"}]}], "affected": [{"vendor": "IBOS", "product": "OA", "versions": [{"version": "4.5.5", "status": "affected"}], "modules": ["Interview Management Export"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in IBOS OA 4.5.5 and classified as critical. This vulnerability affects the function actionExport of the file ?r=recruit/interview/export&interviews=x of the component Interview Management Export. The manipulation of the argument interviews leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-232546 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "In IBOS OA 4.5.5 wurde eine kritische Schwachstelle gefunden. Das betrifft die Funktion actionExport der Datei ?r=recruit/interview/export&interviews=x der Komponente Interview Management Export. Mittels Manipulieren des Arguments interviews mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.2, "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P"}}], "timeline": [{"time": "2023-06-28T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2023-06-28T00:00:00.000Z", "lang": "en", "value": "CVE reserved"}, {"time": "2023-06-28T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2023-07-20T14:15:36.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "MinimoAgoni (VulDB User)", "type": "analyst"}], "references": [{"url": "https://vuldb.com/?id.232546", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.232546", "tags": ["signature", "permissions-required"]}, {"url": "https://github.com/MinimoAgoni/cve/blob/main/iboa%20oa.md", "tags": ["exploit"]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibos:ibos:4.5.5:*:*:*:*:*:*:*", "matchCriteriaId": "1F678D76-48AA-4940-833F-5567D196DB7D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in IBOS OA 4.5.5 and classified as critical. This vulnerability affects the function actionExport of the file ?r=recruit/interview/export&interviews=x of the component Interview Management Export. The manipulation of the argument interviews leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-232546 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2023-3449", "lastModified": "2024-05-17T02:27:29.940", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.2, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 5.1, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2023-06-28T18:15:16.607", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/MinimoAgoni/cve/blob/main/iboa%20oa.md"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?ctiid.232546"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.232546"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}