Impact
openDCIM version 23.04 suffers from a SQL injection flaw in the Config::UpdateParameter routine, where user‑supplied values are concatenated directly into SQL statements without prepared statements or sanitization. This is a CWE‑89 vulnerability that enables an authenticated application user to run arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the underlying database.
Affected Systems
The affected product is openDCIM, with all releases up to and including 23.04 that contain the vulnerable commit 4467e9c4. Versions before 23.04 are not affected as they do not include this code path.
Risk and Exploitability
The Base CVSS score is 9.3, indicating critical severity, and the EPSS score is below 1%, representing a very low probability of exploitation. It is not listed in the CISA KEV catalog, but publicly available proof‑of‑concept code confirms that an attacker can exploit it. Based on the description, it is inferred that an attacker must be authenticated to the application to trigger the injection, so the most likely vectors are compromised or insider credentials rather than unauthenticated access. If successful, the attacker could execute arbitrary SQL commands against the database, leading to data theft, modification, or denial of service.
OpenCVE Enrichment