CVE-2023-3743 - OpenCVE

Ap Page Builder, in versions lower than 1.7.8.2, could allow a remote attacker to send a specially crafted SQL query to the product_one_img parameter to retrieve the information stored in the database.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Leothemes	Ap Page Builder

Configuration 1 [-]

cpe:2.3:a:leothemes:ap_page_builder:*:*:*:*:*:prestashop:*:*

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-vulnerability-leothemes-ap-page-builder	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-07-18T11:56:05.572Z

Updated: 2023-07-18T11:56:05.572Z

Reserved: 2023-07-18T07:09:37.463Z

Link: CVE-2023-3743

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-07-18T12:15:12.427

Modified: 2023-07-27T03:44:01.503

Link: CVE-2023-3743

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-3743", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-07-18T07:09:37.463Z", "datePublished": "2023-07-18T11:56:05.572Z", "dateUpdated": "2023-07-18T11:56:05.572Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Ap Page Builder", "vendor": "LeoTheme", "versions": [{"lessThan": "1.7.8.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "David Manuel Herrera Rodr\u00edguez from Telef\u00f3nica Tech team"}], "datePublic": "2023-07-18T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Ap Page Builder, in versions lower than 1.7.8.2, could allow a remote attacker to send a specially crafted SQL query to the product_one_img parameter to retrieve the information stored in the database.<br>"}], "value": "Ap Page Builder, in versions lower than 1.7.8.2, could allow a remote attacker to send a specially crafted SQL query to the product_one_img parameter to retrieve the information stored in the database.\n"}], "impacts": [{"capecId": "CAPEC-108", "descriptions": [{"lang": "en", "value": "CAPEC-108 Command Line Execution through SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-07-18T11:56:05.572Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-vulnerability-leothemes-ap-page-builder"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to version 1.7.8.2"}], "value": "Update to version 1.7.8.2"}], "source": {"advisory": "INCIBE-2022-0021", "discovery": "EXTERNAL"}, "title": "SQL injection vulnerability in LeoTheme's Ap Page Builder", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}