CVE-2023-48395

{"id": "CVE-2023-48395", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "twcert@cert.org.tw", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-12-15T10:15:08.590", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7625-a0b9c-1.html", "tags": ["Third Party Advisory"], "source": "twcert@cert.org.tw"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Secondary", "source": "twcert@cert.org.tw", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Kaifa Technology WebITR is an online attendance system, it has insufficient validation for user input within a special function. A remote attacker with regular user privilege can exploit this vulnerability to inject arbitrary SQL commands to read database."}, {"lang": "es", "value": "Kaifa Technology WebITR es un sistema de asistencia en l\u00ednea, no tiene validaci\u00f3n suficiente para la entrada del usuario dentro de una funci\u00f3n especial. Un atacante remoto con privilegios de usuario normal puede aprovechar esta vulnerabilidad para inyectar comandos SQL arbitrarios para leer la base de datos."}], "lastModified": "2023-12-22T15:28:27.923", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kaifa:webitr_attendance_system:2.1.0.23:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B300C11-0A7F-409F-9D3C-3CE08E366D75"}], "operator": "OR"}]}], "sourceIdentifier": "twcert@cert.org.tw"}