CVE-2023-47253
Published: 06 November 2023
Summary
CVE-2023-47253 is a critical-severity Command Injection (CWE-77) vulnerability in Qualitor Qualitor. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Qualitor through version 8.20 contains a command-injection vulnerability (CWE-77) that permits unauthenticated remote code execution. The flaw resides in the gridValoresPopHidden parameter of html/ad/adpesquisasql/request/processVariavel.php, where attacker-supplied PHP code is processed without sanitization, allowing direct execution on the server.
An attacker with network access can submit a crafted request to the affected endpoint and obtain arbitrary code execution with the privileges of the web-server process. Successful exploitation yields full confidentiality, integrity, and availability impact, consistent with the CVSS 9.8 rating that requires no authentication or user interaction.
The associated EPSS score has reached 0.939, indicating a high likelihood of exploitation. Vendor advisories and updated releases are referenced at qualitor.com.br, including an official security advisory for CVE-2023-47253.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-51384
Vulnerability details
Qualitor through 8.20 allows remote attackers to execute arbitrary code via PHP code in the html/ad/adpesquisasql/request/processVariavel.php gridValoresPopHidden parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.