Cyber Resilience

CVE-2023-31702

HighPublic PoC

Published: 17 May 2023

Published
17 May 2023
Modified
22 January 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0748 92.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-31702 is a high-severity SQL Injection (CWE-89) vulnerability in Escanav Escan Management Console. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-31702 is an SQL injection vulnerability in the View User Profile functionality of MicroWorld eScan Management Console version 14.0.1400.2281. The flaw exists in the GetUserCurrentPwd endpoint, where the UsrId parameter is not properly sanitized, enabling direct database interaction.

An authenticated remote attacker with administrative privileges can supply a crafted UsrId value to extract the full database contents and obtain a Windows command shell on the underlying database server, resulting in arbitrary code execution. The CVSS 7.2 score reflects network attack vector, low complexity, and high impact on confidentiality, integrity, and availability when the required high-privileged account is available.

Public references consist solely of exploit proof-of-concept disclosures on Packet Storm and GitHub; no vendor advisory or patch information is provided. The associated EPSS score has remained flat at 0.0835 with no material increase since publication.

EU & UK References

Vulnerability details

SQL injection in the View User Profile in MicroWorld eScan Management Console 14.0.1400.2281 allows remote attacker to dump entire database and gain windows XP command shell to perform code execution on database server via GetUserCurrentPwd?UsrId=1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

escanav
escan management console
14.0.1400.2281

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References