Search criteria
18 vulnerabilities found for masterlab by masterlab
FKIE_CVE-2023-7159
Vulnerability from fkie_nvd - Published: 2023-12-29 07:15 - Updated: 2024-11-21 08:45
Severity
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in gopeak MasterLab up to 3.3.10. It has been declared as critical. Affected by this vulnerability is the function add/update of the file app/ctrl/admin/User.php. The manipulation of the argument avatar leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249181 was assigned to this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://note.zhaoj.in/share/FE79uijyqmG7 | Broken Link | |
| cna@vuldb.com | https://note.zhaoj.in/share/jNbywlXI46HV | Broken Link | |
| cna@vuldb.com | https://vuldb.com/?ctiid.249181 | Permissions Required, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.249181 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://note.zhaoj.in/share/FE79uijyqmG7 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://note.zhaoj.in/share/jNbywlXI46HV | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?ctiid.249181 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.249181 | Permissions Required, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:masterlab:masterlab:*:*:*:*:*:*:*:*",
"matchCriteriaId": "650AE4B5-39D2-4607-8455-957955DF48AB",
"versionEndIncluding": "3.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in gopeak MasterLab up to 3.3.10. It has been declared as critical. Affected by this vulnerability is the function add/update of the file app/ctrl/admin/User.php. The manipulation of the argument avatar leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249181 was assigned to this vulnerability."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en gopeak MasterLab hasta 3.3.10. Ha sido declarada cr\u00edtica. La funci\u00f3n add/update del archivo app/ctrl/admin/User.php es afectada por esta vulnerabilidad. La manipulaci\u00f3n del argumento avatar conduce a una carga sin restricciones. El ataque se puede lanzar de forma remota. La explotaci\u00f3n ha sido divulgada al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-249181."
}
],
"id": "CVE-2023-7159",
"lastModified": "2024-11-21T08:45:24.320",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "MULTIPLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.4,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-29T07:15:11.420",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Broken Link"
],
"url": "https://note.zhaoj.in/share/FE79uijyqmG7"
},
{
"source": "cna@vuldb.com",
"tags": [
"Broken Link"
],
"url": "https://note.zhaoj.in/share/jNbywlXI46HV"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?ctiid.249181"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.249181"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://note.zhaoj.in/share/FE79uijyqmG7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://note.zhaoj.in/share/jNbywlXI46HV"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?ctiid.249181"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.249181"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-7147
Vulnerability from fkie_nvd - Published: 2023-12-29 03:15 - Updated: 2024-11-21 08:45
Severity
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability, which was classified as critical, was found in gopeak MasterLab up to 3.3.10. Affected is the function base64ImageContent of the file app/ctrl/User.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. VDB-249150 is the identifier assigned to this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://note.zhaoj.in/share/affd8cjn50HC | Broken Link | |
| cna@vuldb.com | https://vuldb.com/?ctiid.249150 | Permissions Required, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.249150 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://note.zhaoj.in/share/affd8cjn50HC | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?ctiid.249150 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.249150 | Permissions Required, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:masterlab:masterlab:*:*:*:*:*:*:*:*",
"matchCriteriaId": "650AE4B5-39D2-4607-8455-957955DF48AB",
"versionEndIncluding": "3.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, was found in gopeak MasterLab up to 3.3.10. Affected is the function base64ImageContent of the file app/ctrl/User.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. VDB-249150 is the identifier assigned to this vulnerability."
},
{
"lang": "es",
"value": "Una vulnerabilidad fue encontrada en gopeak MasterLab hasta 3.3.10 y clasificada como cr\u00edtica. La funci\u00f3n base64ImageContent del archivo app/ctrl/User.php es afectada por la vulnerabilidad. La manipulaci\u00f3n del argumento image conduce a una carga sin restricciones. Es posible lanzar el ataque de forma remota. VDB-249150 es el identificador asignado a esta vulnerabilidad."
}
],
"id": "CVE-2023-7147",
"lastModified": "2024-11-21T08:45:22.537",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-29T03:15:11.847",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Broken Link"
],
"url": "https://note.zhaoj.in/share/affd8cjn50HC"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?ctiid.249150"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.249150"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://note.zhaoj.in/share/affd8cjn50HC"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?ctiid.249150"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.249150"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-7145
Vulnerability from fkie_nvd - Published: 2023-12-29 02:15 - Updated: 2024-11-21 08:45
Severity
6.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability classified as critical was found in gopeak MasterLab up to 3.3.10. This vulnerability affects the function sqlInject of the file app/ctrl/Framework.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249148.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://note.zhaoj.in/share/LEbo1ypfzfQh | Broken Link | |
| cna@vuldb.com | https://vuldb.com/?ctiid.249148 | Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?id.249148 | Permissions Required, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://note.zhaoj.in/share/LEbo1ypfzfQh | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?ctiid.249148 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.249148 | Permissions Required, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:masterlab:masterlab:*:*:*:*:*:*:*:*",
"matchCriteriaId": "650AE4B5-39D2-4607-8455-957955DF48AB",
"versionEndIncluding": "3.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical was found in gopeak MasterLab up to 3.3.10. This vulnerability affects the function sqlInject of the file app/ctrl/Framework.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249148."
},
{
"lang": "es",
"value": "Una vulnerabilidad fue encontrada en gopeak MasterLab hasta 3.3.10 y clasificada como cr\u00edtica. Esta vulnerabilidad afecta a la funci\u00f3n sqlInject del archivo app/ctrl/Framework.php del componente HTTP POST Request Handler. La manipulaci\u00f3n del argumento pwd conduce a la inyecci\u00f3n de SQL. La explotaci\u00f3n ha sido divulgada al p\u00fablico y puede utilizarse. El identificador de esta vulnerabilidad es VDB-249148."
}
],
"id": "CVE-2023-7145",
"lastModified": "2024-11-21T08:45:22.220",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-29T02:15:45.180",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Broken Link"
],
"url": "https://note.zhaoj.in/share/LEbo1ypfzfQh"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.249148"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.249148"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://note.zhaoj.in/share/LEbo1ypfzfQh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.249148"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.249148"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-7146
Vulnerability from fkie_nvd - Published: 2023-12-29 02:15 - Updated: 2024-11-21 08:45
Severity
6.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability, which was classified as critical, has been found in gopeak MasterLab up to 3.3.10. This issue affects the function sqlInjectDelete of the file app/ctrl/framework/Feature.php of the component HTTP POST Request Handler. The manipulation of the argument phone leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-249149 was assigned to this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://note.zhaoj.in/share/jRqEcVBTsZh4 | Broken Link | |
| cna@vuldb.com | https://vuldb.com/?ctiid.249149 | Permissions Required, Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?id.249149 | Permissions Required, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://note.zhaoj.in/share/jRqEcVBTsZh4 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?ctiid.249149 | Permissions Required, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.249149 | Permissions Required, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:masterlab:masterlab:*:*:*:*:*:*:*:*",
"matchCriteriaId": "650AE4B5-39D2-4607-8455-957955DF48AB",
"versionEndIncluding": "3.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, has been found in gopeak MasterLab up to 3.3.10. This issue affects the function sqlInjectDelete of the file app/ctrl/framework/Feature.php of the component HTTP POST Request Handler. The manipulation of the argument phone leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-249149 was assigned to this vulnerability."
},
{
"lang": "es",
"value": "Una vulnerabilidad fue encontrada en gopeak MasterLab hasta 3.3.10 y clasificada como cr\u00edtica. Este problema afecta la funci\u00f3n sqlInjectDelete del archivo app/ctrl/framework/Feature.php del componente HTTP POST Request Handler. La manipulaci\u00f3n del argumento tel\u00e9fono conduce a la inyecci\u00f3n de SQL. La explotaci\u00f3n ha sido divulgada al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-249149."
}
],
"id": "CVE-2023-7146",
"lastModified": "2024-11-21T08:45:22.363",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-29T02:15:45.387",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Broken Link"
],
"url": "https://note.zhaoj.in/share/jRqEcVBTsZh4"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.249149"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.249149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://note.zhaoj.in/share/jRqEcVBTsZh4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.249149"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.249149"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-7144
Vulnerability from fkie_nvd - Published: 2023-12-29 01:15 - Updated: 2024-11-21 08:45
Severity
6.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability classified as critical has been found in gopeak MasterLab up to 3.3.10. This affects the function sqlInject of the file app/ctrl/framework/Feature.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249147.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://note.zhaoj.in/share/4HDWrBHGCf9e | Broken Link | |
| cna@vuldb.com | https://vuldb.com/?ctiid.249147 | Permissions Required, Third Party Advisory | |
| cna@vuldb.com | https://vuldb.com/?id.249147 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://note.zhaoj.in/share/4HDWrBHGCf9e | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?ctiid.249147 | Permissions Required, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://vuldb.com/?id.249147 | Permissions Required, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:masterlab:masterlab:*:*:*:*:*:*:*:*",
"matchCriteriaId": "650AE4B5-39D2-4607-8455-957955DF48AB",
"versionEndIncluding": "3.3.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in gopeak MasterLab up to 3.3.10. This affects the function sqlInject of the file app/ctrl/framework/Feature.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249147."
},
{
"lang": "es",
"value": "Una vulnerabilidad ha sido encontrada en gopeak MasterLab hasta 3.3.10 y clasificada como cr\u00edtica. Esto afecta a la funci\u00f3n sqlInject del archivo app/ctrl/framework/Feature.php del componente HTTP POST Request Handler. La manipulaci\u00f3n del argumento pwd conduce a la inyecci\u00f3n de SQL. La explotaci\u00f3n ha sido divulgada al p\u00fablico y puede utilizarse. El identificador asociado de esta vulnerabilidad es VDB-249147."
}
],
"id": "CVE-2023-7144",
"lastModified": "2024-11-21T08:45:22.053",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-12-29T01:15:44.137",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Broken Link"
],
"url": "https://note.zhaoj.in/share/4HDWrBHGCf9e"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?ctiid.249147"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.249147"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://note.zhaoj.in/share/4HDWrBHGCf9e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?ctiid.249147"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required",
"Third Party Advisory"
],
"url": "https://vuldb.com/?id.249147"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-23534
Vulnerability from fkie_nvd - Published: 2021-02-25 16:15 - Updated: 2024-11-21 05:13
Severity
Summary
A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the 'source' parameter.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/gopeak/masterlab/issues/254 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gopeak/masterlab/issues/254 | Exploit, Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:masterlab:masterlab:2.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "EE09F1E6-3590-44E1-AA92-A3E594219236",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the \u0027source\u0027 parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo server-side request forgery (SSRF) en el archivo Upgrade.php de gopeak masterlab versi\u00f3n 2.1.5, por medio del par\u00e1metro \"source\""
}
],
"id": "CVE-2020-23534",
"lastModified": "2024-11-21T05:13:51.087",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-25T16:15:12.150",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/gopeak/masterlab/issues/254"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/gopeak/masterlab/issues/254"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-7159 (GCVE-0-2023-7159)
Vulnerability from cvelistv5 – Published: 2023-12-29 07:00 – Updated: 2024-08-02 08:50
VLAI
Title
gopeak MasterLab User.php update unrestricted upload
Summary
A vulnerability was found in gopeak MasterLab up to 3.3.10. It has been declared as critical. Affected by this vulnerability is the function add/update of the file app/ctrl/admin/User.php. The manipulation of the argument avatar leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249181 was assigned to this vulnerability.
Severity
4.7 (Medium)
4.7 (Medium)
CWE
- CWE-434 - Unrestricted Upload
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.249181 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.249181 | signaturepermissions-required |
| https://note.zhaoj.in/share/jNbywlXI46HV | broken-linkexploit |
| https://note.zhaoj.in/share/FE79uijyqmG7 | broken-link |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.272Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.249181"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.249181"
},
{
"tags": [
"broken-link",
"exploit",
"x_transferred"
],
"url": "https://note.zhaoj.in/share/jNbywlXI46HV"
},
{
"tags": [
"broken-link",
"x_transferred"
],
"url": "https://note.zhaoj.in/share/FE79uijyqmG7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MasterLab",
"vendor": "gopeak",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
},
{
"status": "affected",
"version": "3.3.5"
},
{
"status": "affected",
"version": "3.3.6"
},
{
"status": "affected",
"version": "3.3.7"
},
{
"status": "affected",
"version": "3.3.8"
},
{
"status": "affected",
"version": "3.3.9"
},
{
"status": "affected",
"version": "3.3.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "glzjin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in gopeak MasterLab up to 3.3.10. It has been declared as critical. Affected by this vulnerability is the function add/update of the file app/ctrl/admin/User.php. The manipulation of the argument avatar leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249181 was assigned to this vulnerability."
},
{
"lang": "de",
"value": "In gopeak MasterLab bis 3.3.10 wurde eine kritische Schwachstelle ausgemacht. Das betrifft die Funktion add/update der Datei app/ctrl/admin/User.php. Durch das Beeinflussen des Arguments avatar mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-13T07:30:50.274Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.249181"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.249181"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://note.zhaoj.in/share/jNbywlXI46HV"
},
{
"tags": [
"broken-link"
],
"url": "https://note.zhaoj.in/share/FE79uijyqmG7"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-12-28T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-01-20T13:18:23.000Z",
"value": "VulDB entry last update"
}
],
"title": "gopeak MasterLab User.php update unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-7159",
"datePublished": "2023-12-29T07:00:05.537Z",
"dateReserved": "2023-12-28T14:39:02.258Z",
"dateUpdated": "2024-08-02T08:50:08.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7147 (GCVE-0-2023-7147)
Vulnerability from cvelistv5 – Published: 2023-12-29 02:31 – Updated: 2024-08-02 08:50
VLAI
Title
gopeak MasterLab User.php base64ImageContent unrestricted upload
Summary
A vulnerability, which was classified as critical, was found in gopeak MasterLab up to 3.3.10. Affected is the function base64ImageContent of the file app/ctrl/User.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. VDB-249150 is the identifier assigned to this vulnerability.
Severity
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-434 - Unrestricted Upload
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.249150 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.249150 | signaturepermissions-required |
| https://note.zhaoj.in/share/affd8cjn50HC | broken-link |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.249150"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.249150"
},
{
"tags": [
"broken-link",
"x_transferred"
],
"url": "https://note.zhaoj.in/share/affd8cjn50HC"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MasterLab",
"vendor": "gopeak",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
},
{
"status": "affected",
"version": "3.3.5"
},
{
"status": "affected",
"version": "3.3.6"
},
{
"status": "affected",
"version": "3.3.7"
},
{
"status": "affected",
"version": "3.3.8"
},
{
"status": "affected",
"version": "3.3.9"
},
{
"status": "affected",
"version": "3.3.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "glzjin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, was found in gopeak MasterLab up to 3.3.10. Affected is the function base64ImageContent of the file app/ctrl/User.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. VDB-249150 is the identifier assigned to this vulnerability."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in gopeak MasterLab bis 3.3.10 gefunden. Sie wurde als kritisch eingestuft. Es betrifft die Funktion base64ImageContent der Datei app/ctrl/User.php. Dank der Manipulation des Arguments image mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-13T07:29:06.650Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.249150"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.249150"
},
{
"tags": [
"broken-link"
],
"url": "https://note.zhaoj.in/share/affd8cjn50HC"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-12-28T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-01-20T09:38:35.000Z",
"value": "VulDB entry last update"
}
],
"title": "gopeak MasterLab User.php base64ImageContent unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-7147",
"datePublished": "2023-12-29T02:31:04.681Z",
"dateReserved": "2023-12-28T08:33:49.319Z",
"dateUpdated": "2024-08-02T08:50:08.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7146 (GCVE-0-2023-7146)
Vulnerability from cvelistv5 – Published: 2023-12-29 02:00 – Updated: 2024-09-12 18:41
VLAI
Title
gopeak MasterLab HTTP POST Request Feature.php sqlInjectDelete sql injection
Summary
A vulnerability, which was classified as critical, has been found in gopeak MasterLab up to 3.3.10. This issue affects the function sqlInjectDelete of the file app/ctrl/framework/Feature.php of the component HTTP POST Request Handler. The manipulation of the argument phone leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-249149 was assigned to this vulnerability.
Severity
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.249149 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.249149 | signaturepermissions-required |
| https://note.zhaoj.in/share/jRqEcVBTsZh4 | broken-linkexploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.235Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.249149"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.249149"
},
{
"tags": [
"broken-link",
"exploit",
"x_transferred"
],
"url": "https://note.zhaoj.in/share/jRqEcVBTsZh4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7146",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T15:19:25.170049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T18:41:31.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "MasterLab",
"vendor": "gopeak",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
},
{
"status": "affected",
"version": "3.3.5"
},
{
"status": "affected",
"version": "3.3.6"
},
{
"status": "affected",
"version": "3.3.7"
},
{
"status": "affected",
"version": "3.3.8"
},
{
"status": "affected",
"version": "3.3.9"
},
{
"status": "affected",
"version": "3.3.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "glzjin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, has been found in gopeak MasterLab up to 3.3.10. This issue affects the function sqlInjectDelete of the file app/ctrl/framework/Feature.php of the component HTTP POST Request Handler. The manipulation of the argument phone leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-249149 was assigned to this vulnerability."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in gopeak MasterLab bis 3.3.10 entdeckt. Sie wurde als kritisch eingestuft. Hierbei geht es um die Funktion sqlInjectDelete der Datei app/ctrl/framework/Feature.php der Komponente HTTP POST Request Handler. Durch Beeinflussen des Arguments phone mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-13T07:27:52.218Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.249149"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.249149"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://note.zhaoj.in/share/jRqEcVBTsZh4"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-12-28T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-01-20T09:33:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "gopeak MasterLab HTTP POST Request Feature.php sqlInjectDelete sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-7146",
"datePublished": "2023-12-29T02:00:05.328Z",
"dateReserved": "2023-12-28T08:33:42.767Z",
"dateUpdated": "2024-09-12T18:41:31.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7145 (GCVE-0-2023-7145)
Vulnerability from cvelistv5 – Published: 2023-12-29 01:31 – Updated: 2024-08-02 08:50
VLAI
Title
gopeak MasterLab HTTP POST Request Framework.php sqlInject sql injection
Summary
A vulnerability classified as critical was found in gopeak MasterLab up to 3.3.10. This vulnerability affects the function sqlInject of the file app/ctrl/Framework.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249148.
Severity
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.249148 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.249148 | signaturepermissions-required |
| https://note.zhaoj.in/share/LEbo1ypfzfQh | broken-linkexploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.249148"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.249148"
},
{
"tags": [
"broken-link",
"exploit",
"x_transferred"
],
"url": "https://note.zhaoj.in/share/LEbo1ypfzfQh"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "MasterLab",
"vendor": "gopeak",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
},
{
"status": "affected",
"version": "3.3.5"
},
{
"status": "affected",
"version": "3.3.6"
},
{
"status": "affected",
"version": "3.3.7"
},
{
"status": "affected",
"version": "3.3.8"
},
{
"status": "affected",
"version": "3.3.9"
},
{
"status": "affected",
"version": "3.3.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "glzjin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical was found in gopeak MasterLab up to 3.3.10. This vulnerability affects the function sqlInject of the file app/ctrl/Framework.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249148."
},
{
"lang": "de",
"value": "In gopeak MasterLab bis 3.3.10 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Dabei geht es um die Funktion sqlInject der Datei app/ctrl/Framework.php der Komponente HTTP POST Request Handler. Durch das Beeinflussen des Arguments pwd mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-13T07:33:07.698Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.249148"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.249148"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://note.zhaoj.in/share/LEbo1ypfzfQh"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-12-28T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-01-20T09:29:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "gopeak MasterLab HTTP POST Request Framework.php sqlInject sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-7145",
"datePublished": "2023-12-29T01:31:04.615Z",
"dateReserved": "2023-12-28T08:33:38.996Z",
"dateUpdated": "2024-08-02T08:50:08.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7144 (GCVE-0-2023-7144)
Vulnerability from cvelistv5 – Published: 2023-12-29 01:00 – Updated: 2024-08-28 14:20
VLAI
Title
gopeak MasterLab HTTP POST Request Feature.php sqlInject sql injection
Summary
A vulnerability classified as critical has been found in gopeak MasterLab up to 3.3.10. This affects the function sqlInject of the file app/ctrl/framework/Feature.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249147.
Severity
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.249147 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.249147 | signaturepermissions-required |
| https://note.zhaoj.in/share/4HDWrBHGCf9e | broken-linkexploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.337Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.249147"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.249147"
},
{
"tags": [
"broken-link",
"exploit",
"x_transferred"
],
"url": "https://note.zhaoj.in/share/4HDWrBHGCf9e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-27T18:32:03.723190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T14:20:46.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "MasterLab",
"vendor": "gopeak",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
},
{
"status": "affected",
"version": "3.3.5"
},
{
"status": "affected",
"version": "3.3.6"
},
{
"status": "affected",
"version": "3.3.7"
},
{
"status": "affected",
"version": "3.3.8"
},
{
"status": "affected",
"version": "3.3.9"
},
{
"status": "affected",
"version": "3.3.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "glzjin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in gopeak MasterLab up to 3.3.10. This affects the function sqlInject of the file app/ctrl/framework/Feature.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249147."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in gopeak MasterLab bis 3.3.10 entdeckt. Sie wurde als kritisch eingestuft. Es geht dabei um die Funktion sqlInject der Datei app/ctrl/framework/Feature.php der Komponente HTTP POST Request Handler. Durch Manipulieren des Arguments pwd mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-13T07:31:02.690Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.249147"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.249147"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://note.zhaoj.in/share/4HDWrBHGCf9e"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-12-28T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-01-20T09:23:41.000Z",
"value": "VulDB entry last update"
}
],
"title": "gopeak MasterLab HTTP POST Request Feature.php sqlInject sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-7144",
"datePublished": "2023-12-29T01:00:04.653Z",
"dateReserved": "2023-12-28T08:33:36.972Z",
"dateUpdated": "2024-08-28T14:20:46.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-23534 (GCVE-0-2020-23534)
Vulnerability from cvelistv5 – Published: 2021-02-25 15:59 – Updated: 2024-08-04 14:58
VLAI
Summary
A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the 'source' parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/gopeak/masterlab/issues/254 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gopeak/masterlab/issues/254"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the \u0027source\u0027 parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-25T15:59:14.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gopeak/masterlab/issues/254"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23534",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the \u0027source\u0027 parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gopeak/masterlab/issues/254",
"refsource": "MISC",
"url": "https://github.com/gopeak/masterlab/issues/254"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23534",
"datePublished": "2021-02-25T15:59:14.000Z",
"dateReserved": "2020-08-13T00:00:00.000Z",
"dateUpdated": "2024-08-04T14:58:14.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7159 (GCVE-0-2023-7159)
Vulnerability from nvd – Published: 2023-12-29 07:00 – Updated: 2024-08-02 08:50
VLAI
Title
gopeak MasterLab User.php update unrestricted upload
Summary
A vulnerability was found in gopeak MasterLab up to 3.3.10. It has been declared as critical. Affected by this vulnerability is the function add/update of the file app/ctrl/admin/User.php. The manipulation of the argument avatar leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249181 was assigned to this vulnerability.
Severity
4.7 (Medium)
4.7 (Medium)
CWE
- CWE-434 - Unrestricted Upload
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.249181 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.249181 | signaturepermissions-required |
| https://note.zhaoj.in/share/jNbywlXI46HV | broken-linkexploit |
| https://note.zhaoj.in/share/FE79uijyqmG7 | broken-link |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.272Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.249181"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.249181"
},
{
"tags": [
"broken-link",
"exploit",
"x_transferred"
],
"url": "https://note.zhaoj.in/share/jNbywlXI46HV"
},
{
"tags": [
"broken-link",
"x_transferred"
],
"url": "https://note.zhaoj.in/share/FE79uijyqmG7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MasterLab",
"vendor": "gopeak",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
},
{
"status": "affected",
"version": "3.3.5"
},
{
"status": "affected",
"version": "3.3.6"
},
{
"status": "affected",
"version": "3.3.7"
},
{
"status": "affected",
"version": "3.3.8"
},
{
"status": "affected",
"version": "3.3.9"
},
{
"status": "affected",
"version": "3.3.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "glzjin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in gopeak MasterLab up to 3.3.10. It has been declared as critical. Affected by this vulnerability is the function add/update of the file app/ctrl/admin/User.php. The manipulation of the argument avatar leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249181 was assigned to this vulnerability."
},
{
"lang": "de",
"value": "In gopeak MasterLab bis 3.3.10 wurde eine kritische Schwachstelle ausgemacht. Das betrifft die Funktion add/update der Datei app/ctrl/admin/User.php. Durch das Beeinflussen des Arguments avatar mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-13T07:30:50.274Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.249181"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.249181"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://note.zhaoj.in/share/jNbywlXI46HV"
},
{
"tags": [
"broken-link"
],
"url": "https://note.zhaoj.in/share/FE79uijyqmG7"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-12-28T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-01-20T13:18:23.000Z",
"value": "VulDB entry last update"
}
],
"title": "gopeak MasterLab User.php update unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-7159",
"datePublished": "2023-12-29T07:00:05.537Z",
"dateReserved": "2023-12-28T14:39:02.258Z",
"dateUpdated": "2024-08-02T08:50:08.272Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7147 (GCVE-0-2023-7147)
Vulnerability from nvd – Published: 2023-12-29 02:31 – Updated: 2024-08-02 08:50
VLAI
Title
gopeak MasterLab User.php base64ImageContent unrestricted upload
Summary
A vulnerability, which was classified as critical, was found in gopeak MasterLab up to 3.3.10. Affected is the function base64ImageContent of the file app/ctrl/User.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. VDB-249150 is the identifier assigned to this vulnerability.
Severity
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-434 - Unrestricted Upload
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.249150 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.249150 | signaturepermissions-required |
| https://note.zhaoj.in/share/affd8cjn50HC | broken-link |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.290Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.249150"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.249150"
},
{
"tags": [
"broken-link",
"x_transferred"
],
"url": "https://note.zhaoj.in/share/affd8cjn50HC"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MasterLab",
"vendor": "gopeak",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
},
{
"status": "affected",
"version": "3.3.5"
},
{
"status": "affected",
"version": "3.3.6"
},
{
"status": "affected",
"version": "3.3.7"
},
{
"status": "affected",
"version": "3.3.8"
},
{
"status": "affected",
"version": "3.3.9"
},
{
"status": "affected",
"version": "3.3.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "glzjin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, was found in gopeak MasterLab up to 3.3.10. Affected is the function base64ImageContent of the file app/ctrl/User.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. VDB-249150 is the identifier assigned to this vulnerability."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in gopeak MasterLab bis 3.3.10 gefunden. Sie wurde als kritisch eingestuft. Es betrifft die Funktion base64ImageContent der Datei app/ctrl/User.php. Dank der Manipulation des Arguments image mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-13T07:29:06.650Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.249150"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.249150"
},
{
"tags": [
"broken-link"
],
"url": "https://note.zhaoj.in/share/affd8cjn50HC"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-12-28T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-01-20T09:38:35.000Z",
"value": "VulDB entry last update"
}
],
"title": "gopeak MasterLab User.php base64ImageContent unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-7147",
"datePublished": "2023-12-29T02:31:04.681Z",
"dateReserved": "2023-12-28T08:33:49.319Z",
"dateUpdated": "2024-08-02T08:50:08.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7146 (GCVE-0-2023-7146)
Vulnerability from nvd – Published: 2023-12-29 02:00 – Updated: 2024-09-12 18:41
VLAI
Title
gopeak MasterLab HTTP POST Request Feature.php sqlInjectDelete sql injection
Summary
A vulnerability, which was classified as critical, has been found in gopeak MasterLab up to 3.3.10. This issue affects the function sqlInjectDelete of the file app/ctrl/framework/Feature.php of the component HTTP POST Request Handler. The manipulation of the argument phone leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-249149 was assigned to this vulnerability.
Severity
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.249149 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.249149 | signaturepermissions-required |
| https://note.zhaoj.in/share/jRqEcVBTsZh4 | broken-linkexploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.235Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.249149"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.249149"
},
{
"tags": [
"broken-link",
"exploit",
"x_transferred"
],
"url": "https://note.zhaoj.in/share/jRqEcVBTsZh4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7146",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-27T15:19:25.170049Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T18:41:31.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "MasterLab",
"vendor": "gopeak",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
},
{
"status": "affected",
"version": "3.3.5"
},
{
"status": "affected",
"version": "3.3.6"
},
{
"status": "affected",
"version": "3.3.7"
},
{
"status": "affected",
"version": "3.3.8"
},
{
"status": "affected",
"version": "3.3.9"
},
{
"status": "affected",
"version": "3.3.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "glzjin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as critical, has been found in gopeak MasterLab up to 3.3.10. This issue affects the function sqlInjectDelete of the file app/ctrl/framework/Feature.php of the component HTTP POST Request Handler. The manipulation of the argument phone leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-249149 was assigned to this vulnerability."
},
{
"lang": "de",
"value": "Eine Schwachstelle wurde in gopeak MasterLab bis 3.3.10 entdeckt. Sie wurde als kritisch eingestuft. Hierbei geht es um die Funktion sqlInjectDelete der Datei app/ctrl/framework/Feature.php der Komponente HTTP POST Request Handler. Durch Beeinflussen des Arguments phone mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-13T07:27:52.218Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.249149"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.249149"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://note.zhaoj.in/share/jRqEcVBTsZh4"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-12-28T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-01-20T09:33:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "gopeak MasterLab HTTP POST Request Feature.php sqlInjectDelete sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-7146",
"datePublished": "2023-12-29T02:00:05.328Z",
"dateReserved": "2023-12-28T08:33:42.767Z",
"dateUpdated": "2024-09-12T18:41:31.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7145 (GCVE-0-2023-7145)
Vulnerability from nvd – Published: 2023-12-29 01:31 – Updated: 2024-08-02 08:50
VLAI
Title
gopeak MasterLab HTTP POST Request Framework.php sqlInject sql injection
Summary
A vulnerability classified as critical was found in gopeak MasterLab up to 3.3.10. This vulnerability affects the function sqlInject of the file app/ctrl/Framework.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249148.
Severity
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.249148 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.249148 | signaturepermissions-required |
| https://note.zhaoj.in/share/LEbo1ypfzfQh | broken-linkexploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.249148"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.249148"
},
{
"tags": [
"broken-link",
"exploit",
"x_transferred"
],
"url": "https://note.zhaoj.in/share/LEbo1ypfzfQh"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "MasterLab",
"vendor": "gopeak",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
},
{
"status": "affected",
"version": "3.3.5"
},
{
"status": "affected",
"version": "3.3.6"
},
{
"status": "affected",
"version": "3.3.7"
},
{
"status": "affected",
"version": "3.3.8"
},
{
"status": "affected",
"version": "3.3.9"
},
{
"status": "affected",
"version": "3.3.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "glzjin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical was found in gopeak MasterLab up to 3.3.10. This vulnerability affects the function sqlInject of the file app/ctrl/Framework.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249148."
},
{
"lang": "de",
"value": "In gopeak MasterLab bis 3.3.10 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Dabei geht es um die Funktion sqlInject der Datei app/ctrl/Framework.php der Komponente HTTP POST Request Handler. Durch das Beeinflussen des Arguments pwd mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-13T07:33:07.698Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.249148"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.249148"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://note.zhaoj.in/share/LEbo1ypfzfQh"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-12-28T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-01-20T09:29:18.000Z",
"value": "VulDB entry last update"
}
],
"title": "gopeak MasterLab HTTP POST Request Framework.php sqlInject sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-7145",
"datePublished": "2023-12-29T01:31:04.615Z",
"dateReserved": "2023-12-28T08:33:38.996Z",
"dateUpdated": "2024-08-02T08:50:08.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-7144 (GCVE-0-2023-7144)
Vulnerability from nvd – Published: 2023-12-29 01:00 – Updated: 2024-08-28 14:20
VLAI
Title
gopeak MasterLab HTTP POST Request Feature.php sqlInject sql injection
Summary
A vulnerability classified as critical has been found in gopeak MasterLab up to 3.3.10. This affects the function sqlInject of the file app/ctrl/framework/Feature.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249147.
Severity
6.3 (Medium)
6.3 (Medium)
CWE
- CWE-89 - SQL Injection
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://vuldb.com/?id.249147 | vdb-entrytechnical-description |
| https://vuldb.com/?ctiid.249147 | signaturepermissions-required |
| https://note.zhaoj.in/share/4HDWrBHGCf9e | broken-linkexploit |
Impacted products
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:50:08.337Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.249147"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.249147"
},
{
"tags": [
"broken-link",
"exploit",
"x_transferred"
],
"url": "https://note.zhaoj.in/share/4HDWrBHGCf9e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7144",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-27T18:32:03.723190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T14:20:46.322Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP POST Request Handler"
],
"product": "MasterLab",
"vendor": "gopeak",
"versions": [
{
"status": "affected",
"version": "3.3.0"
},
{
"status": "affected",
"version": "3.3.1"
},
{
"status": "affected",
"version": "3.3.2"
},
{
"status": "affected",
"version": "3.3.3"
},
{
"status": "affected",
"version": "3.3.4"
},
{
"status": "affected",
"version": "3.3.5"
},
{
"status": "affected",
"version": "3.3.6"
},
{
"status": "affected",
"version": "3.3.7"
},
{
"status": "affected",
"version": "3.3.8"
},
{
"status": "affected",
"version": "3.3.9"
},
{
"status": "affected",
"version": "3.3.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "glzjin (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability classified as critical has been found in gopeak MasterLab up to 3.3.10. This affects the function sqlInject of the file app/ctrl/framework/Feature.php of the component HTTP POST Request Handler. The manipulation of the argument pwd leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249147."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in gopeak MasterLab bis 3.3.10 entdeckt. Sie wurde als kritisch eingestuft. Es geht dabei um die Funktion sqlInject der Datei app/ctrl/framework/Feature.php der Komponente HTTP POST Request Handler. Durch Manipulieren des Arguments pwd mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-13T07:31:02.690Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.249147"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.249147"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://note.zhaoj.in/share/4HDWrBHGCf9e"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-12-28T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-12-28T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2024-01-20T09:23:41.000Z",
"value": "VulDB entry last update"
}
],
"title": "gopeak MasterLab HTTP POST Request Feature.php sqlInject sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-7144",
"datePublished": "2023-12-29T01:00:04.653Z",
"dateReserved": "2023-12-28T08:33:36.972Z",
"dateUpdated": "2024-08-28T14:20:46.322Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-23534 (GCVE-0-2020-23534)
Vulnerability from nvd – Published: 2021-02-25 15:59 – Updated: 2024-08-04 14:58
VLAI
Summary
A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the 'source' parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/gopeak/masterlab/issues/254 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:14.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gopeak/masterlab/issues/254"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the \u0027source\u0027 parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-25T15:59:14.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gopeak/masterlab/issues/254"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23534",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the \u0027source\u0027 parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gopeak/masterlab/issues/254",
"refsource": "MISC",
"url": "https://github.com/gopeak/masterlab/issues/254"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23534",
"datePublished": "2021-02-25T15:59:14.000Z",
"dateReserved": "2020-08-13T00:00:00.000Z",
"dateUpdated": "2024-08-04T14:58:14.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}