CVE-2023-43013

Asset Management System v1.0 is vulnerable to an unauthenticated SQL Injection vulnerability on the 'email' parameter of index.php page, allowing an external attacker to dump all the contents of the database contents and bypass the login control.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://fluidattacks.com/advisories/nergal	Exploit Third Party Advisory
https://projectworlds.in/	Product
https://fluidattacks.com/advisories/nergal	Exploit Third Party Advisory
https://projectworlds.in/	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:projectworlds:asset_management_system:1.0:*:*:*:*:*:*:*

History

21 Nov 2024, 08:23

Type	Values Removed	Values Added
References	~~() https://fluidattacks.com/advisories/nergal - Exploit, Third Party Advisory~~	() https://fluidattacks.com/advisories/nergal - Exploit, Third Party Advisory
References	~~() https://projectworlds.in/ - Product~~	() https://projectworlds.in/ - Product

29 Sep 2023, 19:12

Type	Values Removed	Values Added
CPE		cpe:2.3:a:projectworlds:asset_management_system:1.0:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Projectworlds asset Management System Projectworlds
References	~~(MISC) https://projectworlds.in/ -~~	(MISC) https://projectworlds.in/ - Product
References	~~(MISC) https://fluidattacks.com/advisories/nergal -~~	(MISC) https://fluidattacks.com/advisories/nergal - Exploit, Third Party Advisory
CWE		CWE-89

28 Sep 2023, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-28 21:15

Updated : 2024-11-21 08:23

NVD link : CVE-2023-43013

Mitre link : CVE-2023-43013

CVE.ORG link : CVE-2023-43013

JSON object : View

Products Affected

projectworlds

asset_management_system

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2023-43013", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "help@fluidattacks.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-09-28T21:15:10.037", "references": [{"url": "https://fluidattacks.com/advisories/nergal", "tags": ["Exploit", "Third Party Advisory"], "source": "help@fluidattacks.com"}, {"url": "https://projectworlds.in/", "tags": ["Product"], "source": "help@fluidattacks.com"}, {"url": "https://fluidattacks.com/advisories/nergal", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://projectworlds.in/", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "help@fluidattacks.com", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Asset Management System v1.0 is vulnerable to an\n\nunauthenticated SQL Injection vulnerability on the\n\n'email' parameter of index.php page, allowing an\n\nexternal attacker to dump all the contents of the\n\ndatabase contents and bypass the login control.\n\n\n\n"}, {"lang": "es", "value": "Asset Management System v1.0 es vulnerable a una vulnerabilidad de Inyecci\u00f3n SQL no autenticada en el par\u00e1metro 'email' de la p\u00e1gina index.php, lo que permite a un atacante externo volcar todo el contenido de la base de datos y omitir el control de inicio de sesi\u00f3n."}], "lastModified": "2024-11-21T08:23:37.430", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:projectworlds:asset_management_system:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "656A5C3D-EB26-41B4-8D6A-BE16BE287F05"}], "operator": "OR"}]}], "sourceIdentifier": "help@fluidattacks.com"}