CVE-2023-6097 - Vulnerability Details - OpenCVE

A SQL injection vulnerability has been found in ICS Business Manager, affecting version 7.06.0028.7089. This vulnerability could allow a remote user to send a specially crafted SQL query and retrieve all the information stored in the database. The data could also be modified or deleted, causing the application to malfunction.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00139.

Key SSVC decision points have not yet been added.

Vendors	Products
Icssolution Subscribe	Ics Business Manager Subscribe

Configuration 1 [-]

OR	cpe:2.3:a:icssolution:ics_business_manager:7.06.0028.2802:::::::*
	cpe:2.3:a:icssolution:ics_business_manager:7.06.0028.7066:::::::*
	cpe:2.3:a:icssolution:ics_business_manager:7.06.0028.7089:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-58353	A SQL injection vulnerability has been found in ICS Business Manager, affecting version 7.06.0028.7089. This vulnerability could allow a remote user to send a specially crafted SQL query and retrieve all the information stored in the database. The data could also be modified or deleted, causing the application to malfunction.

Fixes

Solution

There is no reported solution at this time.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-icssolution-ics-business-manager

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-11-13T13:11:01.674Z

Updated: 2024-09-03T19:39:23.123Z

Reserved: 2023-11-13T09:53:08.477Z

Link: CVE-2023-6097

Vulnrichment

Updated: 2024-08-02T08:21:17.386Z

NVD

Status : Modified

Published: 2023-11-13T13:15:08.007

Modified: 2024-11-21T08:43:07.763

Link: CVE-2023-6097

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-89

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6097", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-11-13T09:53:08.477Z", "datePublished": "2023-11-13T13:11:01.674Z", "dateUpdated": "2024-09-03T19:39:23.123Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ICS Business Manager", "vendor": "ICSSolution", "versions": [{"status": "affected", "version": "7.06.0028.7089"}, {"status": "affected", "version": "7.06.0028.7066"}, {"status": "affected", "version": "7.06.0028.2802"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "David C\u00e1mara Galindo"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Andr\u00e9s Elizalde Galdeano"}], "datePublic": "2023-11-13T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A SQL injection vulnerability has been found in ICS Business Manager, affecting version 7.06.0028.7089. This vulnerability could allow a remote user to send a specially crafted SQL query and retrieve all the information stored in the database. The data could also be modified or deleted, causing the application to malfunction."}], "value": "A SQL injection vulnerability has been found in ICS Business Manager, affecting version 7.06.0028.7089. This vulnerability could allow a remote user to send a specially crafted SQL query and retrieve all the information stored in the database. The data could also be modified or deleted, causing the application to malfunction."}], "impacts": [{"capecId": "CAPEC-108", "descriptions": [{"lang": "en", "value": "CAPEC-108 Command Line Execution through SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-11-13T13:11:01.674Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-icssolution-ics-business-manager"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "There is no reported solution at this time."}], "value": "There is no reported solution at this time."}], "source": {"discovery": "EXTERNAL"}, "title": "SQL Injection on ICSSolution ICS Business Manager", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:21:17.386Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-icssolution-ics-business-manager", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "icssolution", "product": "ics_business_manager", "cpes": ["cpe:2.3:a:icssolution:ics_business_manager:7.06.0028.7089:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "7.06.0028.7089", "status": "affected"}]}, {"vendor": "icssolution", "product": "ics_business_manager", "cpes": ["cpe:2.3:a:icssolution:ics_business_manager:7.06.0028.7066:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "7.06.0028.7066", "status": "affected"}]}, {"vendor": "icssolution", "product": "ics_business_manager", "cpes": ["cpe:2.3:a:icssolution:ics_business_manager:7.06.0028.2802:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "7.06.0028.2802", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-03T19:25:56.185241Z", "id": "CVE-2023-6097", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T19:39:23.123Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-icssolution-ics-business-manager", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:21:17.386Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-6097", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-03T19:25:56.185241Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:icssolution:ics_business_manager:7.06.0028.7089:*:*:*:*:*:*:*"], "vendor": "icssolution", "product": "ics_business_manager", "versions": [{"status": "affected", "version": "7.06.0028.7089"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:icssolution:ics_business_manager:7.06.0028.7066:*:*:*:*:*:*:*"], "vendor": "icssolution", "product": "ics_business_manager", "versions": [{"status": "affected", "version": "7.06.0028.7066"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:icssolution:ics_business_manager:7.06.0028.2802:*:*:*:*:*:*:*"], "vendor": "icssolution", "product": "ics_business_manager", "versions": [{"status": "affected", "version": "7.06.0028.2802"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T19:39:17.321Z"}}], "cna": {"title": "SQL Injection on ICSSolution ICS Business Manager", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "David C\u00e1mara Galindo"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Andr\u00e9s Elizalde Galdeano"}], "impacts": [{"capecId": "CAPEC-108", "descriptions": [{"lang": "en", "value": "CAPEC-108 Command Line Execution through SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ICSSolution", "product": "ICS Business Manager", "versions": [{"status": "affected", "version": "7.06.0028.7089"}, {"status": "affected", "version": "7.06.0028.7066"}, {"status": "affected", "version": "7.06.0028.2802"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "There is no reported solution at this time.", "supportingMedia": [{"type": "text/html", "value": "There is no reported solution at this time.", "base64": false}]}], "datePublic": "2023-11-13T11:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-icssolution-ics-business-manager"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability has been found in ICS Business Manager, affecting version 7.06.0028.7089. This vulnerability could allow a remote user to send a specially crafted SQL query and retrieve all the information stored in the database. The data could also be modified or deleted, causing the application to malfunction.", "supportingMedia": [{"type": "text/html", "value": "A SQL injection vulnerability has been found in ICS Business Manager, affecting version 7.06.0028.7089. This vulnerability could allow a remote user to send a specially crafted SQL query and retrieve all the information stored in the database. The data could also be modified or deleted, causing the application to malfunction.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-11-13T13:11:01.674Z"}}}, "cveMetadata": {"cveId": "CVE-2023-6097", "state": "PUBLISHED", "dateUpdated": "2024-09-03T19:39:23.123Z", "dateReserved": "2023-11-13T09:53:08.477Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2023-11-13T13:11:01.674Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:icssolution:ics_business_manager:7.06.0028.2802:*:*:*:*:*:*:*", "matchCriteriaId": "AE578FEB-4F03-4203-830E-0A7F4A9410BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:icssolution:ics_business_manager:7.06.0028.7066:*:*:*:*:*:*:*", "matchCriteriaId": "732451C9-3C41-4317-862D-197952D10EA1", "vulnerable": true}, {"criteria": "cpe:2.3:a:icssolution:ics_business_manager:7.06.0028.7089:*:*:*:*:*:*:*", "matchCriteriaId": "1D10212E-CD74-446B-8307-3F2A930305C5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability has been found in ICS Business Manager, affecting version 7.06.0028.7089. This vulnerability could allow a remote user to send a specially crafted SQL query and retrieve all the information stored in the database. The data could also be modified or deleted, causing the application to malfunction."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad de inyecci\u00f3n SQL en ICS Business Manager que afecta a la versi\u00f3n 7.06.0028.7089. Esta vulnerabilidad podr\u00eda permitir que un usuario remoto env\u00ede una consulta SQL especialmente manipulada y recupere toda la informaci\u00f3n almacenada en la base de datos. Los datos tambi\u00e9n podr\u00edan modificarse o eliminarse, provocando un mal funcionamiento de la aplicaci\u00f3n."}], "id": "CVE-2023-6097", "lastModified": "2024-11-21T08:43:07.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.5, "source": "cve-coordination@incibe.es", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-13T13:15:08.007", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-icssolution-ics-business-manager"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-icssolution-ics-business-manager"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}