CVE-2023-37777
Published: 22 January 2025
Description
A SQL injection vulnerability exists in Synnefo Internet Management Software (IMS) version 2023 and earlier. This vulnerability occurs due to improper input validation in a specific API endpoint parameter allowing an attacker to manipulate SQL queries via crafted input. Successful exploitation could lead to unauthorized access to database records with DB administrator privileges which can be leveraged to escalate privileges further and execute arbitrary OS commands.
Security Summary
CVE-2023-37777 is a SQL injection vulnerability affecting Synnefo Internet Management Software (IMS) version 2023 and earlier. The flaw arises from improper input validation in a specific API endpoint parameter, enabling attackers to inject and manipulate SQL queries through crafted input. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-89, it was published on 2025-01-22.
Remote attackers require only network access with no authentication, privileges, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation grants unauthorized access to database records using DB administrator privileges, allowing attackers to escalate privileges further and execute arbitrary operating system commands.
Mitigation details are available in the referenced advisories, including the vendor site at https://synnefoims.com/ and the discovery write-up at https://infosecwriteups.com/how-i-discovered-a-critical-vulnerability-in-an-internet-service-providers-software-56c6cc00f338.
Details
- CWE(s)