CVE-2023-49546
Published: 05 March 2024
Summary
CVE-2023-49546 is a high-severity SQL Injection (CWE-89) vulnerability in Oretnom23 Customer Support System. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Local Account (T1087.001); ranked in the top 33.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-53503
Vulnerability details
Customer Support System v1 was discovered to contain a SQL injection vulnerability via the email parameter at /customer_support/ajax.php.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in the email parameter during staff save operation allows arbitrary SQL queries against the backend MySQL database, facilitating local account discovery via user/staff tables, exploitation for credential access (e.g., dumping password hashes), and collection of data from databases.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.