CVE-2023-2043

Name of the Vulnerable Software and Affected Versions Control iD RHiD version 23.3.19.0

Description A problematic vulnerability was found in the Edit Handler component, affecting an unknown part of the file /v2/customerdb/operator.svc/a. The manipulation of the email argument leads to SQL injection, and it is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond.

Recommendations For version 23.3.19.0, as a temporary workaround, consider restricting access to the /v2/customerdb/operator.svc/a endpoint until a patch is available. Additionally, avoid using the email argument in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.