CVE-2023-22900
Critical
Published: 31 January 2023
Published
31 January 2023
Modified
21 November 2024
KEV Added
—
Patch
—
CVSS Score v3.1
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.0054
67.9th percentile
Risk Priority
20
60% EPSS · 20% KEV · 20% CVSS
Summary
CVE-2023-22900 is a critical-severity SQL Injection (CWE-89) vulnerability in Thinkingsoftware Efence. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 32.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-27002
Vulnerability details
Efence login function has insufficient validation for user input. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, modify or delete database.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
thinkingsoftware
efence
1.2.58
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.