Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

CVE-2023-36417

Microsoft SQL ODBC Driver Remote Code Execution Vulnerability

CVE
#sql#vulnerability#microsoft#rce
CVE-2023-36420

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-36728

Microsoft SQL Server Denial of Service Vulnerability

CVE-2023-36730

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-4309

Election Services Co. (ESC) Internet Election Service is vulnerable to SQL injection in multiple pages and parameters. These vulnerabilities allow an unauthenticated, remote attacker to read or modify data for any elections that share the same backend database. ESC deactivated older and unused elections and enabled web application firewall (WAF) protection for current and future elections on or around 2023-08-12.

CVE-2023-36785

Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

CVE-2023-5497

A vulnerability classified as critical has been found in Tongda OA 2017 11.10. Affected is an unknown function of the file general/hr/salary/welfare_manage/delete.php. The manipulation of the argument WELFARE_ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-241650 is the identifier assigned to this vulnerability.

CVE-2023-5495

A vulnerability was found in QDocs Smart School 6.4.1. It has been classified as critical. This affects an unknown part of the file /course/filterRecords/ of the component HTTP POST Request Handler. The manipulation of the argument searchdata[0][title]/searchdata[0][searchfield]/searchdata[0][searchvalue] leads to sql injection. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-241647. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-36785: Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

**The following mitigating factors might be helpful in your situation:** Exploitation of this vulnerability requires an attacker to trick or convince the victim into connecting to their malicious server. If your environment only connects to known, trusted servers and there is no ability to reconfigure existing connections to point to another location (for example you use TLS encryption with certificate validation), the vulnerability cannot be exploited.

CVE-2023-36417: Microsoft SQL ODBC Driver Remote Code Execution Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** An attacker could exploit the vulnerability by tricking an authenticated user (CVSS metric UI:R) into attempting to connect to a malicious SQL server via a connection driver (for example: ODBC and / or OLEDB as applicable).