CVE-2023-7191 - Vulnerability Details - OpenCVE

A vulnerability, which was classified as critical, was found in S-CMS up to 2.0_build20220529-20231006. This affects an unknown part of the file member/reg.php. The manipulation of the argument M_login/M_email leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-249393 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Adjacent Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00045.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
S-cms	S-cms

Configuration 1 [-]

OR	cpe:2.3:a:s-cms:s-cms:1.0:::::::*
	cpe:2.3:a:s-cms:s-cms:1.5:::::::*
	cpe:2.3:a:s-cms:s-cms:2.0:build_20220529-20231006::::::

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://note.zhaoj.in/share/Fmytf7wBINbP
https://vuldb.com/?ctiid.249393
https://vuldb.com/?id.249393

History

Thu, 17 Apr 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2023-12-31T16:00:05.206Z

Updated: 2025-04-17T19:48:09.151Z

Reserved: 2023-12-30T16:50:57.706Z

Link: CVE-2023-7191

Vulnrichment

Updated: 2024-08-02T08:57:34.058Z

NVD

Status : Modified

Published: 2023-12-31T16:15:44.430

Modified: 2024-11-21T08:45:28.700

Link: CVE-2023-7191

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-7191", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2023-12-30T16:50:57.706Z", "datePublished": "2023-12-31T16:00:05.206Z", "dateUpdated": "2025-04-17T19:48:09.151Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-02-13T07:31:14.975Z"}, "title": "S-CMS reg.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 SQL Injection"}]}], "affected": [{"vendor": "n/a", "product": "S-CMS", "versions": [{"version": "2.0_build20220529-20231006", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as critical, was found in S-CMS up to 2.0_build20220529-20231006. This affects an unknown part of the file member/reg.php. The manipulation of the argument M_login/M_email leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-249393 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Es wurde eine kritische Schwachstelle in S-CMS bis 2.0_build20220529-20231006 gefunden. Dabei betrifft es einen unbekannter Codeteil der Datei member/reg.php. Dank Manipulation des Arguments M_login/M_email mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.5, "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.2, "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P"}}], "timeline": [{"time": "2023-12-30T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2023-12-30T00:00:00.000Z", "lang": "en", "value": "CVE reserved"}, {"time": "2023-12-30T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2024-01-22T08:37:53.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "glzjin (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.249393", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.249393", "tags": ["signature", "permissions-required"]}, {"url": "https://note.zhaoj.in/share/Fmytf7wBINbP", "tags": ["broken-link", "exploit"]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:57:34.058Z"}, "title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.249393", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.249393", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://note.zhaoj.in/share/Fmytf7wBINbP", "tags": ["broken-link", "exploit", "x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-01-05T19:15:28.731300Z", "id": "CVE-2023-7191", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T19:48:09.151Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.249393", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.249393", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://note.zhaoj.in/share/Fmytf7wBINbP", "tags": ["broken-link", "exploit", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:57:34.058Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-7191", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-05T19:15:28.731300Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-17T19:48:05.232Z"}}], "cna": {"title": "S-CMS reg.php sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "glzjin (VulDB User)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5.2, "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P"}}], "affected": [{"vendor": "n/a", "product": "S-CMS", "versions": [{"status": "affected", "version": "2.0_build20220529-20231006"}]}], "timeline": [{"lang": "en", "time": "2023-12-30T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2023-12-30T00:00:00.000Z", "value": "CVE reserved"}, {"lang": "en", "time": "2023-12-30T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2024-01-22T08:37:53.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.249393", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.249393", "tags": ["signature", "permissions-required"]}, {"url": "https://note.zhaoj.in/share/Fmytf7wBINbP", "tags": ["broken-link", "exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as critical, was found in S-CMS up to 2.0_build20220529-20231006. This affects an unknown part of the file member/reg.php. The manipulation of the argument M_login/M_email leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-249393 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "de", "value": "Es wurde eine kritische Schwachstelle in S-CMS bis 2.0_build20220529-20231006 gefunden. Dabei betrifft es einen unbekannter Codeteil der Datei member/reg.php. Dank Manipulation des Arguments M_login/M_email mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 SQL Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-02-13T07:31:14.975Z"}}}, "cveMetadata": {"cveId": "CVE-2023-7191", "state": "PUBLISHED", "dateUpdated": "2025-04-17T19:48:09.151Z", "dateReserved": "2023-12-30T16:50:57.706Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2023-12-31T16:00:05.206Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:s-cms:s-cms:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "4B6BD148-38BC-4577-8467-2333C2466F90", "vulnerable": true}, {"criteria": "cpe:2.3:a:s-cms:s-cms:1.5:*:*:*:*:*:*:*", "matchCriteriaId": "7677FA9F-F255-4334-A35C-F952E85B2532", "vulnerable": true}, {"criteria": "cpe:2.3:a:s-cms:s-cms:2.0:build_20220529-20231006:*:*:*:*:*:*", "matchCriteriaId": "BEDCE259-DBF8-4C71-9448-020BE950702F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as critical, was found in S-CMS up to 2.0_build20220529-20231006. This affects an unknown part of the file member/reg.php. The manipulation of the argument M_login/M_email leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-249393 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Una vulnerabilidad fue encontrada en S-CMS hasta 2.0_build20220529-20231006 y clasificada como cr\u00edtica. Una parte desconocida del archivo member/reg.php afecta a esta vulnerabilidad. La manipulaci\u00f3n del argumento M_login/M_email conduce a la inyecci\u00f3n de SQL. La explotaci\u00f3n ha sido divulgada al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-249393. NOTA: Se contact\u00f3 primeramente al proveedor sobre esta divulgaci\u00f3n, pero no respondi\u00f3 de ninguna forma."}], "id": "CVE-2023-7191", "lastModified": "2024-11-21T08:45:28.700", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.2, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 5.1, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-31T16:15:44.430", "references": [{"source": "cna@vuldb.com", "tags": ["Broken Link"], "url": "https://note.zhaoj.in/share/Fmytf7wBINbP"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required"], "url": "https://vuldb.com/?ctiid.249393"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?id.249393"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://note.zhaoj.in/share/Fmytf7wBINbP"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://vuldb.com/?ctiid.249393"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?id.249393"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Secondary"}]}