Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-6098: Multiple vulnerabilities in ICSSolution ICS Business Manager

An XSS vulnerability has been discovered in ICS Business Manager affecting version 7.06.0028.7066. A remote attacker could send a specially crafted string exploiting the obdd_act parameter, allowing the attacker to steal an authenticated user’s session, and perform actions within the application.

CVE
#sql#xss#vulnerability#auth

Affected Resources

ICS Business Manager, versions:

  • 7.06.0028.2802;
  • 7.06.0028.7066;
  • 7.06.0028.7089.

Description

INCIBE has coordinated the publication of 2 vulnerabilities that affect ICSSolution ICS Business Manager, which have been discovered by David Cámara Galindo and Andrés Elizalde Galdeano from Telefónica Tech.

These vulnerabilities has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

  • CVE-2023-6097: CVSS v3.1: 9.4 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L | CWE-89.
  • CVE-2023-6098: CVSS v3.1: 6.3 | CVSS: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L | CWE-79.

Solution

There is no reported solution at this time.

Detail

  • CVE-2023-6097: a SQL injection vulnerability has been found in ICS Business Manager, affecting version 7.06.0028.7089. This vulnerability could allow a remote user to send a specially crafted SQL query and retrieve all the information stored in the database. The data could also be modified or deleted, causing the application to malfunction.
  • CVE-2023-6098: an XSS vulnerability has been discovered in ICS Business Manager affecting version 7.06.0028.7066. A remote attacker could send a specially crafted string exploiting the obdd_act parameter, allowing the attacker to steal an authenticated user’s session, and perform actions within the application…

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907