FKIE_CVE-2023-4309

Vulnerability from fkie_nvd - Published: 2023-10-10 18:15 - Updated: 2026-06-17 06:37
Severity
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Election Services Co. (ESC) Internet Election Service is vulnerable to SQL injection in multiple pages and parameters. These vulnerabilities allow an unauthenticated, remote attacker to read or modify data for any elections that share the same backend database. ESC deactivated older and unused elections and enabled web application firewall (WAF) protection for current and future elections on or around 2023-08-12.
References
9119a7d8-5eab-497f-8521-727c672e3725https://schemasecurity.co/private-elections.pdf
9119a7d8-5eab-497f-8521-727c672e3725https://www.electionservicesco.com/pages/services_internet.php
9119a7d8-5eab-497f-8521-727c672e3725https://www.youtube.com/watch?v=yeG1xZkHc64
af854a3a-2127-422b-91ae-364da2661108https://schemasecurity.co/private-elections.pdf
af854a3a-2127-422b-91ae-364da2661108https://www.electionservicesco.com/pages/services_internet.php
af854a3a-2127-422b-91ae-364da2661108https://www.youtube.com/watch?v=yeG1xZkHc64
Impacted products
Vendor Product Version
electionservicesco internet_election_service -
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unknown",
          "product": "Internet Election Service",
          "vendor": "Election Services Co. (ESC)",
          "versions": [
            {
              "lessThanOrEqual": "2023-08-12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "source": "9119a7d8-5eab-497f-8521-727c672e3725"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:electionservicesco:internet_election_service:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "78627388-63C2-42E7-B55C-83A012931A9A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [
    {
      "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725",
      "tags": [
        "exclusively-hosted-service"
      ]
    }
  ],
  "descriptions": [
    {
      "lang": "en",
      "value": "Election Services Co. (ESC) Internet Election Service is vulnerable to SQL injection in multiple pages and parameters. These vulnerabilities allow an unauthenticated, remote attacker to read or modify data for any elections that share the same backend database. ESC deactivated older and unused elections and enabled web application firewall (WAF) protection for current and future elections on or around 2023-08-12.\n"
    },
    {
      "lang": "es",
      "value": "El servicio electoral de Internet de Election Services Co. (ESC) es vulnerable a la inyecci\u00f3n de SQL en m\u00faltiples p\u00e1ginas y par\u00e1metros. Estas vulnerabilidades permiten que un atacante remoto no autenticado lea o modifique datos para cualquier elecci\u00f3n que comparta la misma base de datos backend. ESC desactiv\u00f3 las elecciones antiguas y no utilizadas y habilit\u00f3 la protecci\u00f3n de firewall de aplicaciones web (WAF) para las elecciones actuales y futuras el 2023-08-12 o alrededor de esa fecha."
    }
  ],
  "id": "CVE-2023-4309",
  "lastModified": "2026-06-17T06:37:32.790",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.0,
        "source": "9119a7d8-5eab-497f-8521-727c672e3725",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2023-4309",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2024-09-18T18:52:08.028644Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2023-10-10T18:15:19.173",
  "references": [
    {
      "source": "9119a7d8-5eab-497f-8521-727c672e3725",
      "url": "https://schemasecurity.co/private-elections.pdf"
    },
    {
      "source": "9119a7d8-5eab-497f-8521-727c672e3725",
      "url": "https://www.electionservicesco.com/pages/services_internet.php"
    },
    {
      "source": "9119a7d8-5eab-497f-8521-727c672e3725",
      "url": "https://www.youtube.com/watch?v=yeG1xZkHc64"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://schemasecurity.co/private-elections.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.electionservicesco.com/pages/services_internet.php"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.youtube.com/watch?v=yeG1xZkHc64"
    }
  ],
  "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "9119a7d8-5eab-497f-8521-727c672e3725",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.