CVE-2023-31171 (GCVE-0-2023-31171)
Vulnerability from cvelistv5 – Published: 2023-08-31 15:30 – Updated: 2024-09-27 18:48
VLAI?
Title
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator.
See Instruction Manual Appendix A and Appendix E dated 20230615 for more details.
This issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.
Severity ?
5.9 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Schweitzer Engineering Laboratories | SEL-5030 acSELerator QuickSet Software |
Affected:
0 , ≤ 7.1.3.0
(custom)
|
Credits
Gabriele Quagliarella of Nozomi Networks
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.875Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://selinc.com/support/security-notifications/external-reports/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.nozominetworks.com/blog/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31171",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-27T18:06:44.809247Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-27T18:48:28.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "SEL-5030 acSELerator QuickSet Software",
"vendor": "Schweitzer Engineering Laboratories",
"versions": [
{
"lessThanOrEqual": "7.1.3.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Gabriele Quagliarella of Nozomi Networks"
}
],
"datePublic": "2023-08-31T16:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nAn Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator.\n\n\u003cbr\u003e\u003cbr\u003e\n\nSee Instruction Manual Appendix A and Appendix E dated 20230615 for more details.\n\n\u003cbr\u003e\u003cp\u003eThis issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.\u003c/p\u003e"
}
],
"value": "\nAn Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator.\n\n\n\n\n\nSee Instruction Manual Appendix A and Appendix E dated 20230615 for more details.\n\n\nThis issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-549",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-549 Local Execution of Code"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-31T15:30:41.030Z",
"orgId": "5804bb70-792c-43e0-8596-486cc0efe699",
"shortName": "SEL"
},
"references": [
{
"url": "https://selinc.com/support/security-notifications/external-reports/"
},
{
"url": "https://www.nozominetworks.com/blog/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "5804bb70-792c-43e0-8596-486cc0efe699",
"assignerShortName": "SEL",
"cveId": "CVE-2023-31171",
"datePublished": "2023-08-31T15:30:41.030Z",
"dateReserved": "2023-04-24T23:20:01.609Z",
"dateUpdated": "2024-09-27T18:48:28.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:selinc:sel-5030_acselerator_quickset:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"7.1.3.0\", \"matchCriteriaId\": \"B7FE991E-8E2F-4B6D-A0F7-E9D67913B5B6\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"\\nAn Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator.\\n\\n\\n\\n\\n\\nSee Instruction Manual Appendix A and Appendix E dated 20230615 for more details.\\n\\n\\nThis issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.\\n\\n\"}]",
"id": "CVE-2023-31171",
"lastModified": "2024-11-21T08:01:33.240",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security@selinc.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.5, \"impactScore\": 4.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
"published": "2023-08-31T16:15:09.403",
"references": "[{\"url\": \"https://selinc.com/support/security-notifications/external-reports/\", \"source\": \"security@selinc.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.nozominetworks.com/blog/\", \"source\": \"security@selinc.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://selinc.com/support/security-notifications/external-reports/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.nozominetworks.com/blog/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "security@selinc.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@selinc.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-31171\",\"sourceIdentifier\":\"security@selinc.com\",\"published\":\"2023-08-31T16:15:09.403\",\"lastModified\":\"2024-11-21T08:01:33.240\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\nAn Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator.\\n\\n\\n\\n\\n\\nSee Instruction Manual Appendix A and Appendix E dated 20230615 for more details.\\n\\n\\nThis issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.\\n\\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@selinc.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.5,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@selinc.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:selinc:sel-5030_acselerator_quickset:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"7.1.3.0\",\"matchCriteriaId\":\"B7FE991E-8E2F-4B6D-A0F7-E9D67913B5B6\"}]}]}],\"references\":[{\"url\":\"https://selinc.com/support/security-notifications/external-reports/\",\"source\":\"security@selinc.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.nozominetworks.com/blog/\",\"source\":\"security@selinc.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://selinc.com/support/security-notifications/external-reports/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.nozominetworks.com/blog/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://selinc.com/support/security-notifications/external-reports/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.nozominetworks.com/blog/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T14:45:25.875Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-31171\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-27T18:06:44.809247Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-27T18:45:12.514Z\"}}], \"cna\": {\"title\": \"Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Gabriele Quagliarella of Nozomi Networks\"}], \"impacts\": [{\"capecId\": \"CAPEC-549\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-549 Local Execution of Code\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Schweitzer Engineering Laboratories\", \"product\": \"SEL-5030 acSELerator QuickSet Software\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"7.1.3.0\"}], \"platforms\": [\"Windows\"], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2023-08-31T16:00:00.000Z\", \"references\": [{\"url\": \"https://selinc.com/support/security-notifications/external-reports/\"}, {\"url\": \"https://www.nozominetworks.com/blog/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"\\nAn Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator.\\n\\n\\n\\n\\n\\nSee Instruction Manual Appendix A and Appendix E dated 20230615 for more details.\\n\\n\\nThis issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\\n\\nAn Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator.\\n\\n\u003cbr\u003e\u003cbr\u003e\\n\\nSee Instruction Manual Appendix A and Appendix E dated 20230615 for more details.\\n\\n\u003cbr\u003e\u003cp\u003eThis issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-89\", \"description\": \"CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"5804bb70-792c-43e0-8596-486cc0efe699\", \"shortName\": \"SEL\", \"dateUpdated\": \"2023-08-31T15:30:41.030Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-31171\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-27T18:48:28.691Z\", \"dateReserved\": \"2023-04-24T23:20:01.609Z\", \"assignerOrgId\": \"5804bb70-792c-43e0-8596-486cc0efe699\", \"datePublished\": \"2023-08-31T15:30:41.030Z\", \"assignerShortName\": \"SEL\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…