CVE-2023-37777
CRITICALSynnefo Internet Management Software <= 2023 - SQL Injection via API Endpoint Parameter
Title source: llmDescription
A SQL injection vulnerability exists in Synnefo Internet Management Software (IMS) version 2023 and earlier. This vulnerability occurs due to improper input validation in a specific API endpoint parameter allowing an attacker to manipulate SQL queries via crafted input. Successful exploitation could lead to unauthorized access to database records with DB administrator privileges which can be leveraged to escalate privileges further and execute arbitrary OS commands.
References (2)
Core 2
Core References
Various Sources
https://synnefoims.com/
Scores
CVSS v3
9.8
EPSS
0.0042
EPSS Percentile
33.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Published
Jan 22, 2025
Tracked Since
Feb 18, 2026