CVE-2023-51810
Published: 16 January 2024
Summary
CVE-2023-51810 is a high-severity SQL Injection (CWE-89) vulnerability in Stackideas Easydiscuss. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-51810 is a SQL injection vulnerability affecting StackIdeas EasyDiscuss version 5.0.5 in the search parameter of the Users module. The flaw, assigned CWE-89, permits extraction of sensitive information and carries a CVSS 3.1 score of 7.5 reflecting network-accessible exploitation with no required authentication or user interaction. The issue was resolved in version 5.0.10.
Unauthenticated remote attackers can supply a crafted request to the affected search parameter and retrieve sensitive data from the underlying database. Because the vector requires no credentials or special privileges, any internet-facing EasyDiscuss installation running the vulnerable release is exposed.
The product was updated to 5.0.10 to correct the injection flaw. Public references include the vendor sites easydiscuss.com and stackideas.com along with a proof-of-concept repository on GitHub.
EPSS remains flat at 0.0618 with no material increase after disclosure. Public exploit code is available, but no evidence of in-the-wild exploitation is provided in the supplied data.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-56494
Vulnerability details
SQL injection vulnerability in StackIdeas EasyDiscuss v.5.0.5 and fixed in v.5.0.10 allows a remote attacker to obtain sensitive information via a crafted request to the search parameter in the Users module.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in a public-facing Joomla component (EasyDiscuss users search) enables exploitation of public-facing applications (T1190) and facilitates collection of sensitive data from databases (T1213.006) via blind SQLi payloads.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.