CVE-2023-22378

A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the sorting parameter, allows an authenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application. Authenticated users may be able to extract arbitrary information from the DBMS in an uncontrolled way, alter its structure and data, and/or affect its availability.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://security.nozominetworks.com/NN-2023:2-01	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nozominetworks:cmc::::::::
	cpe:2.3:a:nozominetworks:guardian::::::::

History

20 Sep 2024, 12:15

Type	Values Removed	Values Added
Summary	(en) A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the sorting parameter, allows an authenticated attacker to execute arbitrary SQL queries on the DBMS used by the web application. Authenticated users can extract arbitrary information from the DBMS in an uncontrolled way.	(en) A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the sorting parameter, allows an authenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application. Authenticated users may be able to extract arbitrary information from the DBMS in an uncontrolled way, alter its structure and data, and/or affect its availability.

28 May 2024, 13:15

Type	Values Removed	Values Added
Summary	(en) A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the sorting parameter, allows an authenticated attacker to execute arbitrary SQL queries on the DBMS used by the web application. Authenticated users can extract arbitrary information from the DBMS in an uncontrolled way.	(en) A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the sorting parameter, allows an authenticated attacker to execute arbitrary SQL queries on the DBMS used by the web application. Authenticated users can extract arbitrary information from the DBMS in an uncontrolled way.

15 Aug 2023, 16:06

Type	Values Removed	Values Added
CWE		CWE-89
References	~~(MISC) https://security.nozominetworks.com/NN-2023:2-01 -~~	(MISC) https://security.nozominetworks.com/NN-2023:2-01 - Vendor Advisory
CPE		cpe:2.3:a:nozominetworks:cmc:::::::: cpe:2.3:a:nozominetworks:guardian::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

09 Aug 2023, 12:46

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-08-09 09:15

Updated : 2024-09-20 12:15

NVD link : CVE-2023-22378

Mitre link : CVE-2023-22378

CVE.ORG link : CVE-2023-22378

JSON object : View

Products Affected

nozominetworks

cmc
guardian

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

6.5 /10