CVE-2023-31702

HIGH

MicroWorld eScan Management Console <14.0.1400.2281 - SQL Injection

Title source: llm

Description

SQL injection in the View User Profile in MicroWorld eScan Management Console 14.0.1400.2281 allows remote attacker to dump entire database and gain windows XP command shell to perform code execution on database server via GetUserCurrentPwd?UsrId=1.

Exploits (2)

exploitdb WRITEUP

by Sahil Ojha · textwebappswindows

https://www.exploit-db.com/exploits/51466

View Code ZIP pw:eip

nomisec WRITEUP 2 stars

by sahiloj · poc

https://github.com/sahiloj/CVE-2023-31702

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/172545/eScan-Management-Console-14.0.1400.2281-SQL-Injection.html

[Exploit, Third Party Advisory] https://github.com/sahiloj/CVE-2023-31702/blob/main/README.md

Scores

CVSS v3 7.2

EPSS 0.0238

EPSS Percentile 85.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

escanav/escan_management_console 14.0.1400.2281

Published May 17, 2023

Tracked Since Feb 18, 2026