Bylancer QuickOrder GET Parameter blog sql injection
CVE-2023-3690

9.8CRITICAL

Key Information:

Vendor: Bylancer
Status: QuickOrder
Vendor: CVE Published:; 16 July 2023

What is CVE-2023-3690?

A vulnerability exists within the Bylancer QuickOrder version 6.3.7, specifically in the GET Parameter Handler component. An attacker can exploit this vulnerability by manipulating the 's' argument within the file /blog, leading to unauthorized SQL command execution. This flaw can be exploited remotely, allowing potential attackers to gain access to sensitive database information and perform malicious transactions. As of now, there has been no response from the vendor regarding this disclosure, highlighting the need for immediate attention and mitigation from users.

Affected Version(s)

QuickOrder 6.3.7

References

https://vuldb.com/?id.234236

vdb-entrytechnical-description

https://vuldb.com/?ctiid.234236

signature

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 16, 2023
Vulnerability Reserved
Jul 15, 2023

Credit

skalvin (VulDB User)

CVE-2023-3690 Data

JSON