CVE-2023-4309

Election Services Co. (ESC) Internet Election Service is vulnerable to SQL injection in multiple pages and parameters. These vulnerabilities allow an unauthenticated, remote attacker to read or modify data for any elections that share the same backend database. ESC deactivated older and unused elections and enabled web application firewall (WAF) protection for current and future elections on or around 2023-08-12.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cisa-cgCNA
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
VendorProductVersion
electionservicescointernet_election_service
-
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://schemasecurity.co/private-elections.pdf
https://www.electionservicesco.com/pages/services_internet.php
https://www.youtube.com/watch?v=yeG1xZkHc64
https://schemasecurity.co/private-elections.pdf
https://www.electionservicesco.com/pages/services_internet.php
https://www.youtube.com/watch?v=yeG1xZkHc64