CVE-2023-31702

Name of the Vulnerable Software and Affected Versions MicroWorld eScan Management Console version 14.0.1400.2281

Description The issue allows a remote attacker to perform SQL injection in the View User Profile feature, enabling them to dump the entire database and gain a Windows XP command shell. This can lead to code execution on the database server. The attack is carried out via the GetUserCurrentPwd endpoint with the UsrId parameter set to 1, specifically GetUserCurrentPwd?UsrId=1.

Recommendations For MicroWorld eScan Management Console version 14.0.1400.2281, consider disabling the GetUserCurrentPwd endpoint or restricting access to it until a patch is available. Avoid using the UsrId parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.