Unauthenticated SQL Injection Vulnerability in Webkul QloApps by Webkul
CVE-2023-36284

7.5HIGH

Key Information:

Vendor: Webkul
Status: Qloapps
Vendor: CVE Published:; 23 June 2023

Summary

An unauthenticated Time-Based SQL injection vulnerability in Webkul QloApps version 1.6.0 allows remote attackers to manipulate GET parameters such as date_from, date_to, and id_product. This manipulation can let attackers bypass the application's authentication mechanisms, potentially granting access to sensitive data stored in the database. Organizations using this version of QloApps should take immediate steps to assess their systems and implement necessary patches.

References

https://flashy-lemonade-192.notion.site/Time-Based-SQL-in...

EPSS Score

22% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 23, 2023
Vulnerability Reserved
Jun 21, 2023