GitHub - caffeinated-labs/CVE-2023-36645

Affected Software

Vendor: ITB-GmbH
Affected Products: TradePro (v9.5)
Component: Function Customer; Action oordershow
Confirmed: yes

Attack Vector

Type: SQLi
Access-Type: Remote
Impact: Information Disclosure; Escalation of Privileges

SQL injection in function customer, action oordershow in ITB-GmbH TradePro v9.5 allows remote attackers to run SQL queries on the target system.

Description

Calling http(s)://[DOMAIN]/shop/de/sys/?func=customer&action=oordershow&bestellid=[SQL_QUERY]&wkid=[COOKIE] with a valid but unauthenticated session cookie allows for SQLi.

CVSS

Score: 9.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P

Credits

pajowu
zerforschung.org

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
README.adoc		README.adoc

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Affected Software

Attack Vector

Description

CVSS

Credits

About

caffeinated-labs/CVE-2023-36645

Folders and files

Latest commit

History

Repository files navigation

Affected Software

Attack Vector

Description

CVSS

Credits

About

Resources

Stars

Watchers

Forks