CVE-2023-4309

{"id": "CVE-2023-4309", "cveTags": [{"tags": ["exclusively-hosted-service"], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725"}], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2023-10-10T18:15:19.173", "references": [{"url": "https://schemasecurity.co/private-elections.pdf", "source": "9119a7d8-5eab-497f-8521-727c672e3725"}, {"url": "https://www.electionservicesco.com/pages/services_internet.php", "source": "9119a7d8-5eab-497f-8521-727c672e3725"}, {"url": "https://www.youtube.com/watch?v=yeG1xZkHc64", "source": "9119a7d8-5eab-497f-8521-727c672e3725"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Secondary", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Election Services Co. (ESC) Internet Election Service is vulnerable to SQL injection in multiple pages and parameters. These vulnerabilities allow an unauthenticated, remote attacker to read or modify data for any elections that share the same backend database. ESC deactivated older and unused elections and enabled web application firewall (WAF) protection for current and future elections on or around 2023-08-12.\n"}, {"lang": "es", "value": "El servicio electoral de Internet de Election Services Co. (ESC) es vulnerable a la inyecci\u00f3n de SQL en m\u00faltiples p\u00e1ginas y par\u00e1metros. Estas vulnerabilidades permiten que un atacante remoto no autenticado lea o modifique datos para cualquier elecci\u00f3n que comparta la misma base de datos backend. ESC desactiv\u00f3 las elecciones antiguas y no utilizadas y habilit\u00f3 la protecci\u00f3n de firewall de aplicaciones web (WAF) para las elecciones actuales y futuras el 2023-08-12 o alrededor de esa fecha."}], "lastModified": "2024-08-02T08:15:19.200", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:electionservicesco:internet_election_service:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78627388-63C2-42E7-B55C-83A012931A9A"}], "operator": "OR"}]}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725"}