CVE-2023-6655
Published: 10 December 2023
Summary
CVE-2023-6655 is a high-severity SQL Injection (CWE-89) vulnerability in Hrp2000 E-Hr. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A critical SQL injection vulnerability, tracked as CVE-2023-6655 and assigned CWE-89, affects the Hongjing e-HR 2020 product. The flaw resides in an unauthenticated endpoint of the Login Interface component at /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree, where unsanitized input to the parentid parameter is passed directly to a database query.
Remote attackers can exploit the issue over the network without credentials or user interaction to read, modify, or delete limited data, corresponding to the observed CVSS 7.3 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). A public proof-of-concept has been released, enabling straightforward reproduction of the injection.
EPSS scores for the CVE reached a peak of 0.3869 before receding to the current value of 0.2494, indicating moderate and sustained but not rapidly escalating interest from potential exploit authors following disclosure. No official patch or mitigation guidance is referenced in the available advisories.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-58877
Vulnerability details
A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /w_selfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument parentid leads to sql…
more
injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-247358 is the identifier assigned to this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.