Billing Software v1.0 - Multiple Unauthenticated SQL Injections (SQLi)
CVE-2023-49665

9.8CRITICAL

Key Information:

Vendor: Kashipara Group
Status: Billing Software
Vendor: CVE Published:; 4 January 2024

What is CVE-2023-49665?

The Billing Software v1.0 developed by Kashipara contains multiple vulnerabilities due to improper validation of input parameters. Specifically, the 'quantity[]' parameter in the submit_delivery_list.php script is susceptible to Unauthenticated SQL Injection attacks. This flaw allows an unauthenticated attacker to send specially crafted requests, leading to potential manipulation of database queries. Exploiting this vulnerability may result in unauthorized access to sensitive information, data leakage, and potential alterations in the database content. Users of Billing Software v1.0 should take immediate action to assess their security posture and apply the necessary mitigations.

Affected Version(s)

Billing Software 1.0

References

https://fluidattacks.com/advisories/zimerman/

third-party-advisory

https://www.kashipara.com/

product

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 4, 2024
Vulnerability Reserved
Nov 28, 2023

Kashipara Group

What is CVE-2023-49665?

Affected Version(s)

References

CVSS V3.1

Timeline