Authenticated Blind SQL Injection on sorting in Guardian/CMC before 22.6.2
CVE-2023-22378

6.5MEDIUM

Key Information:

Vendor: Nozomi Networks
Status: Guardian; Cmc
Vendor: CVE Published:; 9 August 2023

🔔 Create Nozomi Networks Vulnerability Alert

What is CVE-2023-22378?

A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the sorting parameter, allows an authenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application.

Authenticated users may be able to extract arbitrary information from the DBMS in an uncontrolled way, alter its structure and data, and/or affect its availability.

Affected Version(s)

CMC 0 < 22.6.2

Guardian 0 < 22.6.2

References

https://security.nozominetworks.com/NN-2023:2-01

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 9, 2023
Vulnerability Reserved
Jan 24, 2023

Credit

This issue was found by Stefano Libero of Nozomi Networks Product Security team during a scheduled internal VAPT testing session.