Cyber Resilience

CVE-2023-27037

HighPublic PoC

Published: 16 March 2023

Published
16 March 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0329 87.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-27037 is a high-severity SQL Injection (CWE-89) vulnerability in Qibosoft Qibocms. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 12.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Qibosoft QiboCMS version 7 contains a remote code execution vulnerability in the Get_Title function at label_set_rs.php. The flaw is tracked as CVE-2023-27037 with a CVSS 3.1 score of 8.8 and is categorized under CWE-89. The affected component allows an attacker to reach code execution through this entry point in the content management system.

An authenticated user with low privileges can trigger the issue remotely over the network without user interaction, resulting in complete loss of confidentiality, integrity, and availability on the target installation.

EPSS for the CVE rose from lower values to a peak of 0.0765 on 2026-03-04 before receding to the current score of 0.0329, indicating a period of increased exploitation interest after disclosure. Public references consist of GitHub disclosures that do not include official patch or mitigation guidance.

EU & UK References

Vulnerability details

Qibosoft QiboCMS v7 was discovered to contain a remote code execution (RCE) vulnerability via the Get_Title function at label_set_rs.php

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qibosoft
qibocms
v7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References