CVE-2023-5007 - OpenCVE

Student Information System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'id' parameter of the marks.php resource does not validate the characters received and they are sent unfiltered to the database.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Kashipara	Student Information System

Configuration 1 [-]

cpe:2.3:a:kashipara:student_information_system:1.0:*:*:*:*:wordpress:*:*

References

Link	Resource
https://fluidattacks.com/advisories/kissin/	Exploit Third Party Advisory
https://www.kashipara.com/	Not Applicable

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Fluid Attacks

Published: 2023-12-20T15:58:34.088Z

Updated: 2023-12-20T15:58:34.088Z

Reserved: 2023-09-15T21:43:30.060Z

Link: CVE-2023-5007

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-20T16:15:09.987

Modified: 2023-12-26T21:32:57.167

Link: CVE-2023-5007

JSON object: View

Redhat Information

No data.

CWE

CWE-89

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-5007", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2023-09-15T21:43:30.060Z", "datePublished": "2023-12-20T15:58:34.088Z", "dateUpdated": "2023-12-20T15:58:34.088Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Student Information System", "vendor": "Kashipara Group", "versions": [{"status": "affected", "version": "1.0"}]}], "datePublic": "2023-12-06T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Student Information System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'id' parameter of the marks.php resource does not validate the characters received and they are sent unfiltered to the database.</p>"}], "value": "Student Information System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'id' parameter of the marks.php resource does not validate the characters received and they are sent unfiltered to the database.\n\n"}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2023-12-20T15:58:34.088Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/advisories/kissin/"}, {"tags": ["product"], "url": "https://www.kashipara.com/"}], "source": {"discovery": "UNKNOWN"}, "title": "Student Information System v1.0 - Multiple Authenticated SQL Injections (SQLi)", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}