CVE-2023-26583 - Vulnerability Details - OpenCVE

Unauthenticated SQL injection in the GetCurrentPeriod method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Idattend	Idweb

Configuration 1 [-]

cpe:2.3:a:idattend:idweb:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.themissinglink.com.au/security-advisories/cve-2023-26583

History

No history.

MITRE

Status: PUBLISHED

Assigner: TML

Published: 2023-10-25T10:02:08.029Z

Updated: 2024-09-11T13:50:30.744Z

Reserved: 2023-02-26T06:25:18.749Z

Link: CVE-2023-26583

Vulnrichment

Updated: 2024-08-02T11:53:54.055Z

NVD

Status : Modified

Published: 2023-10-25T18:17:26.127

Modified: 2024-11-21T07:51:47.987

Link: CVE-2023-26583

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-26583", "assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7", "state": "PUBLISHED", "assignerShortName": "TML", "dateReserved": "2023-02-26T06:25:18.749Z", "datePublished": "2023-10-25T10:02:08.029Z", "dateUpdated": "2024-09-11T13:50:30.744Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "IDWeb", "vendor": "IDAttend Pty Ltd", "versions": [{"lessThanOrEqual": "3.1.052", "status": "affected", "version": "0", "versionType": "major"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unauthenticated SQL injection in the GetCurrentPeriod method in IDAttend\u2019s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers. "}], "value": "Unauthenticated SQL injection in the GetCurrentPeriod method in IDAttend\u2019s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers. "}], "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7", "shortName": "TML", "dateUpdated": "2023-10-26T06:42:13.223Z"}, "references": [{"url": "https://www.themissinglink.com.au/security-advisories/cve-2023-26583"}], "source": {"discovery": "EXTERNAL"}, "title": "Unauthenticated SQL Injection In IDAttend\u2019s IDWeb Application", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:53:54.055Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.themissinglink.com.au/security-advisories/cve-2023-26583", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-11T13:50:07.467509Z", "id": "CVE-2023-26583", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T13:50:30.744Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.themissinglink.com.au/security-advisories/cve-2023-26583", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T11:53:54.055Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-26583", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-11T13:50:07.467509Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T13:50:24.582Z"}}], "cna": {"title": "Unauthenticated SQL Injection In IDAttend\u2019s IDWeb Application", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-66", "descriptions": [{"lang": "en", "value": "CAPEC-66 SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "IDAttend Pty Ltd", "product": "IDWeb", "versions": [{"status": "affected", "version": "0", "versionType": "major", "lessThanOrEqual": "3.1.052"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.themissinglink.com.au/security-advisories/cve-2023-26583"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Unauthenticated SQL injection in the GetCurrentPeriod method in IDAttend\u2019s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers. ", "supportingMedia": [{"type": "text/html", "value": "Unauthenticated SQL injection in the GetCurrentPeriod method in IDAttend\u2019s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers. ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7", "shortName": "TML", "dateUpdated": "2023-10-26T06:42:13.223Z"}}}, "cveMetadata": {"cveId": "CVE-2023-26583", "state": "PUBLISHED", "dateUpdated": "2024-09-11T13:50:30.744Z", "dateReserved": "2023-02-26T06:25:18.749Z", "assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7", "datePublished": "2023-10-25T10:02:08.029Z", "assignerShortName": "TML"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:idattend:idweb:*:*:*:*:*:*:*:*", "matchCriteriaId": "1BAFE4C9-F4BD-4B37-87D3-B0A399AD114B", "versionEndIncluding": "3.1.052", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Unauthenticated SQL injection in the GetCurrentPeriod method in IDAttend\u2019s IDWeb application 3.1.052 and earlier allows extraction or modification of all data by unauthenticated attackers. "}, {"lang": "es", "value": "La inyecci\u00f3n de SQL no autenticado en el m\u00e9todo GetCurrentPeriod en la aplicaci\u00f3n IDWeb de IDAttend 3.1.052 y versiones anteriores permite la extracci\u00f3n o modificaci\u00f3n de todos los datos por parte de atacantes no autenticados."}], "id": "CVE-2023-26583", "lastModified": "2024-11-21T07:51:47.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "vdp@themissinglink.com.au", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-25T18:17:26.127", "references": [{"source": "vdp@themissinglink.com.au", "tags": ["Third Party Advisory"], "url": "https://www.themissinglink.com.au/security-advisories/cve-2023-26583"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.themissinglink.com.au/security-advisories/cve-2023-26583"}], "sourceIdentifier": "vdp@themissinglink.com.au", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "vdp@themissinglink.com.au", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}