PT-2023-28330 · Fit2Cloud · Fit2Cloud Rackshift

Colind0Pe

Published

2023-09-14

Updated

2023-09-19

CVE-2023-42405

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions FIT2CLOUD RackShift version 1.7.1

Description The issue allows attackers to execute arbitrary code via the sort parameter to taskService.list(), bareMetalService.list(), and switchService.list() API endpoints. This enables attackers to potentially inject malicious SQL code, compromising the system's security.

Recommendations For FIT2CLOUD RackShift version 1.7.1, consider disabling the sort parameter in the taskService.list(), bareMetalService.list(), and switchService.list() functions until a patch is available. Restrict access to these API endpoints to minimize the risk of exploitation. Avoid using the sort parameter in these endpoints until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2023-42405

Affected Products

Fit2Cloud Rackshift

PT-2023-28330 · Fit2Cloud · Fit2Cloud Rackshift

CVE-2023-42405

Weakness Enumeration

Related Identifiers

Affected Products

References · 5