CVE-2023-2760

An SQL injection vulnerability exists in TapHome core HandleMessageUpdateDevicePropertiesRequest function before version 2023.2, allowing low privileged users to inject arbitrary SQL directives into an SQL query and execute arbitrary SQL commands and get full reading access. This may also lead to limited write access and temporary Denial-of-Service.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://claroty.com/team82/disclosure-dashboard/cve-2023-2759	Third Party Advisory
https://claroty.com/team82/disclosure-dashboard/cve-2023-2759	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:taphome:core_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:taphome:core:-:*:*:*:*:*:*:*

History

21 Nov 2024, 07:59

Type	Values Removed	Values Added
References	~~() https://claroty.com/team82/disclosure-dashboard/cve-2023-2759 - Third Party Advisory~~	() https://claroty.com/team82/disclosure-dashboard/cve-2023-2759 - Third Party Advisory

Information

Published : 2023-07-17 07:15

Updated : 2024-11-21 07:59

NVD link : CVE-2023-2760

Mitre link : CVE-2023-2760

CVE.ORG link : CVE-2023-2760

JSON object : View

Products Affected

taphome

core
core_firmware

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2023-2760", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "info@cert.vde.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.8}]}, "published": "2023-07-17T07:15:08.953", "references": [{"url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-2759", "tags": ["Third Party Advisory"], "source": "info@cert.vde.com"}, {"url": "https://claroty.com/team82/disclosure-dashboard/cve-2023-2759", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "info@cert.vde.com", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "An SQL injection vulnerability exists in TapHome core HandleMessageUpdateDevicePropertiesRequest function before version 2023.2, allowing low privileged users to inject arbitrary SQL directives into an SQL query and execute arbitrary SQL commands and get full reading access. This may also lead to limited write access and temporary Denial-of-Service."}], "lastModified": "2024-11-21T07:59:14.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:taphome:core_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B01D7D94-C7A8-4FD6-8A85-D863DB3A7DE5", "versionEndExcluding": "2023.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:taphome:core:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "230C3E69-F7C7-4A2D-9562-561E770BEEB0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "info@cert.vde.com"}