CVE-2024-43775

SQL Injection in search course titles function of Easytest Online Test Platform ver.24E01 and earlier allow remote authenticated users to execute arbitrary SQL commands via the search parameter.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://zuso.ai/advisory/za-2024-08	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:easytest:easytest_online_test_platform:*:*:*:*:*:*:*:*

History

04 Sep 2024, 12:27

Type	Values Removed	Values Added
First Time		Easytest easytest Online Test Platform Easytest
CPE		cpe:2.3:a:easytest:easytest_online_test_platform::::::::
References	~~() https://zuso.ai/advisory/za-2024-08 -~~	() https://zuso.ai/advisory/za-2024-08 - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8

03 Sep 2024, 12:59

Type	Values Removed	Values Added
Summary		(es) La función de inyección SQL en la búsqueda de títulos de cursos de Easytest Online Test Platform ver.24E01 y anteriores permite a usuarios autenticados remotos ejecutar comandos SQL arbitrarios a través del parámetro de búsqueda.

02 Sep 2024, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-02 05:15

Updated : 2024-09-04 12:27

NVD link : CVE-2024-43775

Mitre link : CVE-2024-43775

CVE.ORG link : CVE-2024-43775

JSON object : View

Products Affected

easytest

easytest_online_test_platform

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2024-43775", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "ART@zuso.ai", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 8.7, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-09-02T05:15:17.420", "references": [{"url": "https://zuso.ai/advisory/za-2024-08", "tags": ["Third Party Advisory"], "source": "ART@zuso.ai"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Secondary", "source": "ART@zuso.ai", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "SQL Injection in search course titles function of Easytest Online Test Platform ver.24E01 and earlier allow remote authenticated users to execute arbitrary SQL commands via the search parameter."}, {"lang": "es", "value": "La funci\u00f3n de inyecci\u00f3n SQL en la b\u00fasqueda de t\u00edtulos de cursos de Easytest Online Test Platform ver.24E01 y anteriores permite a usuarios autenticados remotos ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro de b\u00fasqueda."}], "lastModified": "2024-09-04T12:27:22.670", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:easytest:easytest_online_test_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66A01710-07B8-49AF-A09D-462A63912357", "versionEndIncluding": "24e01"}], "operator": "OR"}]}], "sourceIdentifier": "ART@zuso.ai"}