CVE-2023-47261 in ECM
Summary
by MITRE • 12/14/2023
Dokmee ECM 7.4.6 allows remote code execution because the response to a GettingStarted/SaveSQLConnectionAsync /#/gettingstarted request contains a connection string for privileged SQL Server database access, and xp_cmdshell can be enabled.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/11/2024
The vulnerability identified as CVE-2023-47261 affects Dokmee ECM version 7.4.6 and represents a critical remote code execution flaw that stems from improper handling of database connection information within the application's web interface. This issue manifests through the GettingStarted/SaveSQLConnectionAsync endpoint which processes requests to save SQL Server connection parameters, creating an avenue for attackers to escalate privileges and gain unauthorized system access.
The technical exploitation of this vulnerability relies on the exposure of privileged database connection strings within the application's response handling mechanism. When the SaveSQLConnectionAsync endpoint processes requests, it inadvertently includes sensitive connection information that can be leveraged by malicious actors to establish database access with elevated privileges. The vulnerability becomes particularly dangerous when combined with the ability to enable xp_cmdshell, a SQL Server feature that allows execution of operating system commands directly from the database context. This combination transforms a simple database access vulnerability into a full remote code execution capability.
From an operational impact perspective, this vulnerability creates significant risk for organizations using Dokmee ECM 7.4.6 as it allows attackers to execute arbitrary commands on the underlying operating system hosting the database server. The attack vector is particularly concerning as it requires no local access or authentication, making it exploitable from any remote location with network connectivity to the affected system. Security teams face the challenge of detecting and mitigating this vulnerability without requiring extensive knowledge of the application's internal architecture, as the flaw exists in the exposed API endpoint.
The vulnerability aligns with CWE-200 (Information Exposure) and CWE-78 (Improper Neutralization of Special Elements used in OS Commands) which together describe the exposure of sensitive information combined with command injection capabilities. From an ATT&CK framework perspective, this vulnerability maps to T1059.001 (Command and Scripting Interpreter: PowerShell) and T1046 (Network Service Scanning) as attackers can use the exposed database connection to perform reconnaissance and then execute commands through the enabled xp_cmdshell functionality. The threat model indicates that this vulnerability could be exploited by both automated scanning tools and sophisticated adversaries seeking to establish persistent access to target environments.
Organizations should implement immediate mitigations including disabling xp_cmdshell on affected SQL Server instances, restricting network access to the vulnerable API endpoints through firewalls, and implementing proper input validation and output sanitization for database connection parameters. The most effective long-term solution involves upgrading to a patched version of Dokmee ECM or implementing network segmentation to isolate the vulnerable components from critical systems. Security monitoring should focus on detecting unusual database connection patterns and command execution attempts that might indicate exploitation attempts against this vulnerability.