CVE-2023-3008 - Vulnerability Details - OpenCVE

A vulnerability classified as critical has been found in ningzichun Student Management System 1.0. This affects an unknown part of the file login.php. The manipulation of the argument user/pass leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230355.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Student Management System Project	Student Management System

Configuration 1 [-]

cpe:2.3:a:student_management_system_project:student_management_system:1.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/student-management-system/sql_inject.md
https://vuldb.com/?ctiid.230355
https://vuldb.com/?id.230355

History

Thu, 09 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2023-05-31T11:31:03.993Z

Updated: 2025-01-09T19:51:17.088Z

Reserved: 2023-05-31T11:01:47.403Z

Link: CVE-2023-3008

Vulnrichment

Updated: 2024-08-02T06:41:03.938Z

NVD

Status : Modified

Published: 2023-05-31T12:15:09.640

Modified: 2024-11-21T08:16:13.703

Link: CVE-2023-3008

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3008", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2023-05-31T11:01:47.403Z", "datePublished": "2023-05-31T11:31:03.993Z", "dateUpdated": "2025-01-09T19:51:17.088Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-02-13T07:37:28.769Z"}, "title": "ningzichun Student Management System login.php sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 SQL Injection"}]}], "affected": [{"vendor": "ningzichun", "product": "Student Management System", "versions": [{"version": "1.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in ningzichun Student Management System 1.0. This affects an unknown part of the file login.php. The manipulation of the argument user/pass leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230355."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in ningzichun Student Management System 1.0 entdeckt. Sie wurde als kritisch eingestuft. Es betrifft eine unbekannte Funktion der Datei login.php. Durch Manipulation des Arguments user/pass mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "timeline": [{"time": "2023-05-31T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2023-05-31T00:00:00.000Z", "lang": "en", "value": "CVE reserved"}, {"time": "2023-05-31T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2023-07-24T16:00:26.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "webray.com.cn (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.230355", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.230355", "tags": ["signature", "permissions-required"]}, {"url": "https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/student-management-system/sql_inject.md", "tags": ["broken-link", "exploit"]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:41:03.938Z"}, "title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.230355", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.230355", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/student-management-system/sql_inject.md", "tags": ["broken-link", "exploit", "x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-09T19:51:03.002462Z", "id": "CVE-2023-3008", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T19:51:17.088Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.230355", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.230355", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/student-management-system/sql_inject.md", "tags": ["broken-link", "exploit", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:41:03.938Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-3008", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-09T19:51:03.002462Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-09T19:51:08.512Z"}}], "cna": {"title": "ningzichun Student Management System login.php sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "webray.com.cn (VulDB User)"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "affected": [{"vendor": "ningzichun", "product": "Student Management System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2023-05-31T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2023-05-31T00:00:00.000Z", "value": "CVE reserved"}, {"lang": "en", "time": "2023-05-31T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2023-07-24T16:00:26.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.230355", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.230355", "tags": ["signature", "permissions-required"]}, {"url": "https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/student-management-system/sql_inject.md", "tags": ["broken-link", "exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in ningzichun Student Management System 1.0. This affects an unknown part of the file login.php. The manipulation of the argument user/pass leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230355."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in ningzichun Student Management System 1.0 entdeckt. Sie wurde als kritisch eingestuft. Es betrifft eine unbekannte Funktion der Datei login.php. Durch Manipulation des Arguments user/pass mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 SQL Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-02-13T07:37:28.769Z"}}}, "cveMetadata": {"cveId": "CVE-2023-3008", "state": "PUBLISHED", "dateUpdated": "2025-01-09T19:51:17.088Z", "dateReserved": "2023-05-31T11:01:47.403Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2023-05-31T11:31:03.993Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:student_management_system_project:student_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "A7B8D380-AE4F-4AA2-AFFA-EA5477647B41", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in ningzichun Student Management System 1.0. This affects an unknown part of the file login.php. The manipulation of the argument user/pass leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230355."}], "id": "CVE-2023-3008", "lastModified": "2024-11-21T08:16:13.703", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-31T12:15:09.640", "references": [{"source": "cna@vuldb.com", "tags": ["Broken Link"], "url": "https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/student-management-system/sql_inject.md"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?ctiid.230355"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.230355"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/student-management-system/sql_inject.md"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?ctiid.230355"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.230355"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Secondary"}]}