CVE-2023-38880 (GCVE-0-2023-38880)

Vulnerability from cvelistv5 – Published: 2023-11-20 00:00 – Updated: 2024-08-02 17:54
VLAI?
Summary
The Community Edition version 9.0 of OS4ED's openSIS Classic has a broken access control vulnerability in the database backup functionality. Whenever an admin generates a database backup, the backup is stored in the web root while the file name has a format of "opensisBackup<date>.sql" (e.g. "opensisBackup07-20-2023.sql"), i.e. can easily be guessed. This file can be accessed by any unauthenticated actor and contains a dump of the whole database including password hashes.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T17:54:39.233Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/OS4ED/openSIS-Classic"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.os4ed.com/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38880"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Community Edition version 9.0 of OS4ED\u0027s openSIS Classic has a broken access control vulnerability in the database backup functionality. Whenever an admin generates a database backup, the backup is stored in the web root while the file name has a format of \"opensisBackup\u003cdate\u003e.sql\" (e.g. \"opensisBackup07-20-2023.sql\"), i.e. can easily be guessed. This file can be accessed by any unauthenticated actor and contains a dump of the whole database including password hashes."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-29T22:48:58.783202",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/OS4ED/openSIS-Classic"
        },
        {
          "url": "https://www.os4ed.com/"
        },
        {
          "url": "https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38880"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2023-38880",
    "datePublished": "2023-11-20T00:00:00",
    "dateReserved": "2023-07-25T00:00:00",
    "dateUpdated": "2024-08-02T17:54:39.233Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:os4ed:opensis:9.0:*:*:*:community:*:*:*\", \"matchCriteriaId\": \"31C122B7-1057-40D8-B883-8C41776AA826\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The Community Edition version 9.0 of OS4ED\u0027s openSIS Classic has a broken access control vulnerability in the database backup functionality. Whenever an admin generates a database backup, the backup is stored in the web root while the file name has a format of \\\"opensisBackup\u003cdate\u003e.sql\\\" (e.g. \\\"opensisBackup07-20-2023.sql\\\"), i.e. can easily be guessed. This file can be accessed by any unauthenticated actor and contains a dump of the whole database including password hashes.\"}, {\"lang\": \"es\", \"value\": \"La versi\\u00f3n Community Edition 9.0 de openSIS Classic de OS4ED tiene una vulnerabilidad de control de acceso rota en la funcionalidad de copia de seguridad de la base de datos. Siempre que un administrador genera una copia de seguridad de la base de datos, la copia de seguridad se almacena en la ra\\u00edz web mientras el nombre del archivo tiene el formato \\\"opensisBackup.sq|\\\" (p. ej., \\\"opensisBackup07-20-2023.sql\\\"), es decir, se puede adivinar f\\u00e1cilmente. Cualquier actor no autenticado puede acceder a este archivo y contiene un volcado de toda la base de datos, incluidos los hashes de contrase\\u00f1as.\"}]",
      "id": "CVE-2023-38880",
      "lastModified": "2024-11-21T08:14:21.227",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2023-11-20T19:15:08.600",
      "references": "[{\"url\": \"https://github.com/OS4ED/openSIS-Classic\", \"source\": \"cve@mitre.org\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38880\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.os4ed.com/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/OS4ED/openSIS-Classic\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}, {\"url\": \"https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38880\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.os4ed.com/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-38880\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2023-11-20T19:15:08.600\",\"lastModified\":\"2024-11-21T08:14:21.227\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Community Edition version 9.0 of OS4ED\u0027s openSIS Classic has a broken access control vulnerability in the database backup functionality. Whenever an admin generates a database backup, the backup is stored in the web root while the file name has a format of \\\"opensisBackup\u003cdate\u003e.sql\\\" (e.g. \\\"opensisBackup07-20-2023.sql\\\"), i.e. can easily be guessed. This file can be accessed by any unauthenticated actor and contains a dump of the whole database including password hashes.\"},{\"lang\":\"es\",\"value\":\"La versi\u00f3n Community Edition 9.0 de openSIS Classic de OS4ED tiene una vulnerabilidad de control de acceso rota en la funcionalidad de copia de seguridad de la base de datos. Siempre que un administrador genera una copia de seguridad de la base de datos, la copia de seguridad se almacena en la ra\u00edz web mientras el nombre del archivo tiene el formato \\\"opensisBackup.sq|\\\" (p. ej., \\\"opensisBackup07-20-2023.sql\\\"), es decir, se puede adivinar f\u00e1cilmente. Cualquier actor no autenticado puede acceder a este archivo y contiene un volcado de toda la base de datos, incluidos los hashes de contrase\u00f1as.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:os4ed:opensis:9.0:*:*:*:community:*:*:*\",\"matchCriteriaId\":\"31C122B7-1057-40D8-B883-8C41776AA826\"}]}]}],\"references\":[{\"url\":\"https://github.com/OS4ED/openSIS-Classic\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38880\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.os4ed.com/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/OS4ED/openSIS-Classic\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38880\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.os4ed.com/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.