Authenticated SQL Injection Vulnerabilities in EdgeConnect SD-WAN Orchestrator Web-based Management Interface
CVE-2023-37437

6.5MEDIUM

Key Information:

Vendor: HP
Status: Edgeconnect Sd-wan Orchestrator
Vendor: CVE Published:; 22 August 2023

Summary

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host.

Affected Version(s)

EdgeConnect SD-WAN Orchestrator Orchestrator 9.3.x

EdgeConnect SD-WAN Orchestrator Orchestrator 9.2.x

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 22, 2023
Vulnerability Reserved
Jul 5, 2023

Credit

Daniel Jensen (@dozernz)