CVE-2023-1455

A vulnerability classified as critical was found in SourceCodester Online Pizza Ordering System 1.0. This vulnerability affects unknown code of the file admin/ajax.php?action=login2 of the component Login Page. The manipulation of the argument email with the input abc%40qq.com' AND (SELECT 9110 FROM (SELECT(SLEEP(5)))XSlc) AND 'jFNl'='jFNl leads to sql injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223300.

CVSS v3 8.1 HIGH
CVSS v2.0 5.1 MEDIUM

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

5.1^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:H/Au:N/C:P/I:P/A:P

Exploitability : 4.9 / Impact : 6.4

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://vuldb.com/?ctiid.223300	Permissions Required Third Party Advisory VDB Entry
https://vuldb.com/?id.223300	Permissions Required Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:online_pizza_ordering_system_project:online_pizza_ordering_system:1.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-03-17 07:15

Updated : 2024-05-17 02:18

NVD link : CVE-2023-1455

Mitre link : CVE-2023-1455

CVE.ORG link : CVE-2023-1455

JSON object : View

Products Affected

online_pizza_ordering_system_project

online_pizza_ordering_system

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2023-1455", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 5.1, "accessVector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "HIGH", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 4.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.2}]}, "published": "2023-03-17T07:15:13.767", "references": [{"url": "https://vuldb.com/?ctiid.223300", "tags": ["Permissions Required", "Third Party Advisory", "VDB Entry"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.223300", "tags": ["Permissions Required", "Third Party Advisory", "VDB Entry"], "source": "cna@vuldb.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical was found in SourceCodester Online Pizza Ordering System 1.0. This vulnerability affects unknown code of the file admin/ajax.php?action=login2 of the component Login Page. The manipulation of the argument email with the input abc%40qq.com' AND (SELECT 9110 FROM (SELECT(SLEEP(5)))XSlc) AND 'jFNl'='jFNl leads to sql injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-223300."}], "lastModified": "2024-05-17T02:18:07.007", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:online_pizza_ordering_system_project:online_pizza_ordering_system:1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F6E8E2F0-0703-41CF-B750-06DAD69757E5"}], "operator": "OR"}]}], "sourceIdentifier": "cna@vuldb.com"}