Platform
php
Component
voovi-social-networking-script
Opgelost in
1.0.1
CVE-2023-6412 represents a critical SQL injection vulnerability discovered in Voovi Social Networking Script versions 1.0 and 1.0. This flaw allows a remote attacker to inject malicious SQL queries, potentially leading to unauthorized data access and manipulation. A patch, version 1.0.1, has been released to address this security concern.
The SQL injection vulnerability in Voovi Social Networking Script allows an attacker to directly interact with the underlying database. By crafting malicious SQL queries through the photo.php parameter, an attacker can bypass security measures and execute arbitrary commands. This could result in the complete exfiltration of sensitive data, including user credentials, personal information, and potentially even database schema details. Successful exploitation could also lead to data modification or deletion, disrupting the functionality of the social networking script and compromising its integrity. The blast radius extends to all users of the affected script, particularly those storing sensitive information within the database.
CVE-2023-6412 was publicly disclosed on 2023-11-30. While no active exploitation campaigns have been definitively confirmed, the CRITICAL CVSS score and the ease of exploitation via SQL injection suggest a high probability of exploitation if the vulnerability remains unpatched. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the simplicity of the attack vector.
Websites and applications utilizing the Voovi Social Networking Script version 1.0 and 1.0 are at significant risk. This includes small to medium-sized businesses, personal blogs, and any platform integrating this script for social networking functionality. Shared hosting environments are particularly vulnerable, as a compromised script on one site could potentially impact others on the same server.
• php: Examine access logs for requests to photo.php containing unusual characters or SQL keywords (e.g., UNION, SELECT, DROP).
• php: Search for modifications to the photo.php file that might indicate an attacker attempting to inject malicious code.
• generic web: Use curl to test the photo.php endpoint with various SQL injection payloads to identify exploitable parameters.
curl 'http://example.com/voovi/photo.php?id=1 UNION SELECT 1,2,3 -- ' disclosure
Exploit Status
EPSS
0.20% (42% percentiel)
CVSS-vector
The primary mitigation for CVE-2023-6412 is to immediately upgrade to version 1.0.1 of Voovi Social Networking Script. If upgrading is not immediately feasible due to compatibility issues or downtime concerns, consider implementing a Web Application Firewall (WAF) with rules to filter potentially malicious SQL queries targeting the photo.php parameter. Input validation and sanitization on the server-side are also crucial to prevent SQL injection attacks. Regularly review and update database access permissions to limit the potential impact of a successful attack.
Actualizar a una versión parcheada o descontinuar el uso del script. Debido a la vulnerabilidad de inyección SQL, es crucial aplicar las actualizaciones de seguridad proporcionadas por el proveedor o migrar a una solución más segura. En caso de no haber actualizaciones, se recomienda dejar de utilizar el software.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2023-6412 is a critical SQL injection vulnerability affecting Voovi Social Networking Script versions 1.0 and 1.0, allowing attackers to inject malicious SQL queries via the photo.php parameter.
If you are using Voovi Social Networking Script version 1.0 or 1.0, you are potentially affected and should upgrade immediately.
Upgrade to version 1.0.1 of Voovi Social Networking Script. As a temporary workaround, implement a WAF to filter malicious SQL queries.
While no confirmed active exploitation campaigns are currently known, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation if unpatched.
Refer to the vendor's website or security advisories for the latest information and updates regarding CVE-2023-6412.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.