PT-2023-31001 · Slims · Slims

Vuln0Wned

Published

2023-12-01

Updated

2023-12-31

CVE-2023-48893

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions SLiMS versions prior to 9.6.2

Description The issue allows for SQL injection, potentially enabling a remote attacker to obtain sensitive information and execute arbitrary code. This can be achieved by crafting a script to the date parameter in the staff act.php file, specifically via the startDate or untilDate parameters.

Recommendations For versions prior to 9.6.2, update to a version that contains a fix for this issue to prevent SQL injection attacks. As a temporary workaround, consider restricting access to the staff act.php file or limiting the input for the startDate and untilDate parameters until a patch is available.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2023-48893

Affected Products

Slims

PT-2023-31001 · Slims · Slims

CVE-2023-48893

Weakness Enumeration

Related Identifiers

Affected Products

References · 8