CVE-2023-7190 in S-CMSinfo

Summary

by MITRE • 12/31/2023

A vulnerability, which was classified as critical, has been found in S-CMS up to 2.0_build20220529-20231006. Affected by this issue is some unknown functionality of the file /member/ad.php?action=ad. The manipulation of the argument A_text/A_url/A_contact leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249392. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 01/22/2024

The vulnerability identified as CVE-2023-7190 represents a critical sql injection flaw within S-CMS version 2.0_build20220529-20231006, specifically affecting the member/ad.php script when invoked with the ad action parameter. This vulnerability resides in the handling of three distinct input parameters: A_text, A_url, and A_contact, which collectively enable malicious actors to manipulate database queries through crafted input values. The flaw stems from insufficient input validation and sanitization mechanisms within the application's backend processing logic, allowing attackers to inject malicious sql code that can be executed against the underlying database system.

The technical exploitation of this vulnerability occurs through the manipulation of the three vulnerable parameters within the member/ad.php?action=ad endpoint, where user-supplied data is directly incorporated into sql queries without proper escaping or parameterization. This design flaw aligns with CWE-89, which specifically addresses sql injection vulnerabilities, and demonstrates a classic example of improper input validation where external data flows directly into database operations. The vulnerability's classification as critical reflects the potential for complete database compromise, including unauthorized data access, modification, or deletion, as well as possible privilege escalation within the application's database layer.

The operational impact of this vulnerability extends beyond simple data theft, as successful exploitation could enable attackers to gain unauthorized access to sensitive user information, member data, and potentially administrative credentials stored within the S-CMS database. The disclosure of this vulnerability to the public, as indicated by the VDB-249392 identifier, increases the risk of widespread exploitation since malicious actors now have detailed information about the specific attack vector and target system components. The lack of vendor response to early disclosure attempts compounds the risk, leaving users without official patches or mitigation guidance during the critical period when the vulnerability is actively being exploited.

Security professionals should consider this vulnerability in the context of the ATT&CK framework, specifically under the T1190 technique for exploiting vulnerabilities in web applications, and T1071.004 sub-technique for application layer protocol usage. The vulnerability's exploitation requires minimal technical expertise, making it particularly dangerous as it can be leveraged by attackers of varying skill levels. Organizations using S-CMS should implement immediate mitigations including input validation, parameterized queries, and web application firewall rules to block malicious payloads targeting the affected endpoint. The vulnerability also highlights the importance of vendor communication and responsible disclosure practices, as the lack of vendor response leaves systems exposed during the critical vulnerability lifecycle.

Responsible

VulDB

Reservation

12/30/2023

Disclosure

12/31/2023

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00479

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!