CVE-2023-4485

{"id": "CVE-2023-4485", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2023-09-06T00:15:07.530", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-01", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "ARDEREG\u00a0\u200bSistema SCADA Central versions 2.203 and prior\nlogin page are vulnerable to an unauthenticated blind SQL injection attack. An attacker could manipulate the application's SQL query logic to extract sensitive information or perform unauthorized actions within the database. In this case, the vulnerability could allow an attacker to execute arbitrary SQL queries through the login page, potentially leading to unauthorized access, data leakage, or even disruption of critical industrial processes.\n\n"}, {"lang": "es", "value": "ARDEREG ?Sistema SCADA Central versiones 2.203 y anteriores, la p\u00e1gina de inicio de sesi\u00f3n son vulnerables a un ataque de inyecci\u00f3n blind SQL no autenticada. Un atacante podr\u00eda manipular la l\u00f3gica de consulta SQL de la aplicaci\u00f3n para extraer informaci\u00f3n confidencial o realizar acciones no autorizadas dentro de la base de datos. En este caso, la vulnerabilidad podr\u00eda permitir a un atacante ejecutar consultas SQL arbitrarias a trav\u00e9s de la p\u00e1gina de inicio de sesi\u00f3n, lo que podr\u00eda provocar acceso no autorizado, fuga de datos o incluso interrupci\u00f3n de procesos industriales cr\u00edticos.\n"}], "lastModified": "2023-11-07T04:22:39.683", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ardereg:sistemas_scada:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C51DD5B5-A3FA-482B-819F-100F193CEB96", "versionEndIncluding": "2.203"}], "operator": "OR"}]}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}