Cyber Resilience

CVE-2023-6655

HighPublic PoC

Published: 10 December 2023

Published
10 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.2494 96.3th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6655 is a high-severity SQL Injection (CWE-89) vulnerability in Hrp2000 E-Hr. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A critical SQL injection vulnerability, tracked as CVE-2023-6655 and assigned CWE-89, affects the Hongjing e-HR 2020 product. The flaw resides in an unauthenticated endpoint of the Login Interface component at /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree, where unsanitized input to the parentid parameter is passed directly to a database query.

Remote attackers can exploit the issue over the network without credentials or user interaction to read, modify, or delete limited data, corresponding to the observed CVSS 7.3 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). A public proof-of-concept has been released, enabling straightforward reproduction of the injection.

EPSS scores for the CVE reached a peak of 0.3869 before receding to the current value of 0.2494, indicating moderate and sustained but not rapidly escalating interest from potential exploit authors following disclosure. No official patch or mitigation guidance is referenced in the available advisories.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql…

more

injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hrp2000
e-hr
2020

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References