Codecanyon Credit Lite POST Request account_statement sql injection
CVE-2023-4407

9.8CRITICAL

Key Information:

Vendor

Codecanyon

Status
Credit Lite
Vendor
CVE Published:
18 August 2023

What is CVE-2023-4407?

A vulnerability in Codecanyon Credit Lite version 1.5.4 allows for SQL injection via unsanitized input in the /portal/reports/account_statement POST Request Handler. This flaw enables attackers to manipulate the date1 and date2 parameters, potentially leading to unauthorized access to sensitive data. The exploit can be executed remotely, emphasizing the importance of immediate mitigation efforts for users of this product.

Affected Version(s)

Credit Lite 1.5.4

References

https://vuldb.com/?id.237511
vdb-entrytechnical-description
https://vuldb.com/?ctiid.237511
signaturepermissions-required
http://packetstormsecurity.com/files/174244/Credit-Lite-1...
related

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

skalvin (VulDB User)
.