Authenticated SQL Injection on Query functionality in Guardian/CMC before 22.6.3 and 23.1.0
CVE-2023-2567

8.7HIGH

Key Information:

Vendor: Nozomi Networks
Status: Guardian; Cmc
Vendor: CVE Published:; 19 September 2023

🔔 Create Nozomi Networks Vulnerability Alert

What is CVE-2023-2567?

A SQL Injection vulnerability exists in Nozomi Networks Guardian and CMC applications due to insufficient input validation on certain parameters used in the Query functionality. This flaw allows authenticated users to potentially execute arbitrary SQL statements on the underlying database management system, posing risks of unauthorized data access and manipulation.

Affected Version(s)

CMC 0 < 22.6.3

CMC 23.0.0 < 23.1.0

Guardian 0 < 22.6.3

References

https://security.nozominetworks.com/NN-2023:9-01

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 19, 2023
Vulnerability Reserved
May 8, 2023

Credit

This issue was found by Mostafa Soliman of IBM X-Force Red during a VAPT testing session commissioned by one of our customers.