CVE-2023-37777

CRITICAL

Synnefo Internet Management Software <= 2023 - SQL Injection via API Endpoint Parameter

Title source: llm
STIX 2.1

Description

A SQL injection vulnerability exists in Synnefo Internet Management Software (IMS) version 2023 and earlier. This vulnerability occurs due to improper input validation in a specific API endpoint parameter allowing an attacker to manipulate SQL queries via crafted input. Successful exploitation could lead to unauthorized access to database records with DB administrator privileges which can be leveraged to escalate privileges further and execute arbitrary OS commands.

Scores

CVSS v3 9.8
EPSS 0.0042
EPSS Percentile 33.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Published Jan 22, 2025
Tracked Since Feb 18, 2026