cnvd - cnvd-2023-40579

CNVD-2023-40579

Vulnerability from cnvd - Published: 2023-05-26

Title

Budget And Expense Tracker System SQL注入漏洞

Description

Budget And Expense Tracker System是一个基于Web的应用程序。用于管理您的个人/小型企业预算和开支。 Budget and Expense Tracker System v1.0版本存在SQL注入漏洞，该漏洞源于/admin/budget/manage_budget.ph的参数id缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令窃取数据库敏感数据。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html

Reference

https://vuldb.com/?id.229278

Impacted products

Name
Budget and Expense Tracker System Budget and Expense Tracker System 1.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-2772",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-2772"
    }
  },
  "description": "Budget And Expense Tracker System\u662f\u4e00\u4e2a\u57fa\u4e8eWeb\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\u7528\u4e8e\u7ba1\u7406\u60a8\u7684\u4e2a\u4eba/\u5c0f\u578b\u4f01\u4e1a\u9884\u7b97\u548c\u5f00\u652f\u3002\n\nBudget and Expense Tracker System v1.0\u7248\u672c\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e/admin/budget/manage_budget.ph\u7684\u53c2\u6570id\u7f3a\u5c11\u5bf9\u5916\u90e8\u8f93\u5165SQL\u8bed\u53e5\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u975e\u6cd5SQL\u547d\u4ee4\u7a83\u53d6\u6570\u636e\u5e93\u654f\u611f\u6570\u636e\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.sourcecodester.com/php/14893/budget-and-expense-tracker-system-php-free-source-code.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-40579",
  "openTime": "2023-05-26",
  "products": {
    "product": "Budget and Expense Tracker System Budget and Expense Tracker System 1.0"
  },
  "referenceLink": "https://vuldb.com/?id.229278",
  "serverity": "\u4e2d",
  "submitTime": "2023-05-19",
  "title": "Budget And Expense Tracker System SQL\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2023-2772 (GCVE-0-2023-2772)

Vulnerability from cvelistv5 – Published: 2023-05-17 18:31 – Updated: 2024-11-22 19:50

Title

SourceCodester Budget and Expense Tracker System GET Parameter manage_budget.php sql injection

Summary

A vulnerability, which was classified as critical, was found in SourceCodester Budget and Expense Tracker System 1.0. Affected is an unknown function of the file /admin/budget/manage_budget.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-229278 is the identifier assigned to this vulnerability.

Severity ?

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

6.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-89 - SQL Injection

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.229278	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.229278	signaturepermissions-required
	https://github.com/wucwu1/CVEApplication/blob/mai…	exploit

Impacted products

	Vendor	Product	Version
	SourceCodester	Budget and Expense Tracker System	Affected: 1.0

Credits

wucwu1 (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:33:05.464Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.229278"
          },
          {
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.229278"
          },
          {
            "tags": [
              "exploit",
              "x_transferred"
            ],
            "url": "https://github.com/wucwu1/CVEApplication/blob/main/SQL.md"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-2772",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-22T19:50:31.905700Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-22T19:50:41.130Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "GET Parameter Handler"
          ],
          "product": "Budget and Expense Tracker System",
          "vendor": "SourceCodester",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "analyst",
          "value": "wucwu1 (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability, which was classified as critical, was found in SourceCodester Budget and Expense Tracker System 1.0. Affected is an unknown function of the file /admin/budget/manage_budget.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-229278 is the identifier assigned to this vulnerability."
        },
        {
          "lang": "de",
          "value": "Es wurde eine Schwachstelle in SourceCodester Budget and Expense Tracker System 1.0 gefunden. Sie wurde als kritisch eingestuft. Dabei betrifft es einen unbekannter Codeteil der Datei /admin/budget/manage_budget.php der Komponente GET Parameter Handler. Mittels dem Manipulieren des Arguments id mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 SQL Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-23T06:34:21.320Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.229278"
        },
        {
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.229278"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/wucwu1/CVEApplication/blob/main/SQL.md"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-05-17T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2023-05-17T00:00:00.000Z",
          "value": "CVE reserved"
        },
        {
          "lang": "en",
          "time": "2023-05-17T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2023-06-10T11:43:22.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "SourceCodester Budget and Expense Tracker System GET Parameter manage_budget.php sql injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2023-2772",
    "datePublished": "2023-05-17T18:31:04.581Z",
    "dateReserved": "2023-05-17T16:53:40.265Z",
    "dateUpdated": "2024-11-22T19:50:41.130Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2023-40579

CVE-2023-2772 (GCVE-0-2023-2772)

Tags

Sightings

Nomenclature