CVE-2023-40954

A SQL injection vulnerability in Grzegorz Marczynski Dynamic Progress Bar (aka web_progress) v. 11.0 through 11.0.2, v12.0 through v12.0.2, v.13.0 through v13.0.2, v.14.0 through v14.0.2.1, v.15.0 through v15.0.2, and v16.0 through v16.0.2.1 allows a remote attacker to gain privileges via the recency parameter in models/web_progress.py component.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
VendorProductVersion
gmarczynskidynamic_progress_bar
11.0 ≤
𝑥
≤ 11.0.2
gmarczynskidynamic_progress_bar
12.0 ≤
𝑥
≤ 12.0.2
gmarczynskidynamic_progress_bar
13.0 ≤
𝑥
≤ 13.0.2
gmarczynskidynamic_progress_bar
14.0 ≤
𝑥
≤ 14.0.2.1
gmarczynskidynamic_progress_bar
15.0 ≤
𝑥
≤ 15.0.2
gmarczynskidynamic_progress_bar
16.0 ≤
𝑥
≤ 16.0.2.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/gmarczynski/odoo-web-progress/commit/3c867f1cf7447449c81b1aa24ebb1f7ae757489f
https://github.com/luvsn/OdZoo/tree/main/exploits/web_progress
https://github.com/gmarczynski/odoo-web-progress/commit/3c867f1cf7447449c81b1aa24ebb1f7ae757489f
https://github.com/luvsn/OdZoo/tree/main/exploits/web_progress