CVE-2023-26443

Summary

Full-text autocomplete search allows user-provided SQL syntax to be injected to SQL statements. With existing sanitization in place, this can be abused to trigger benign SQL Exceptions but could potentially be escalated to a malicious SQL injection vulnerability. We now properly encode single quotes for SQL FULLTEXT queries. No publicly available exploits are known.

Affected Software

VendorProductVersion RangeStatus
OX Software GmbHOX App Suite0 <= 7.10.6-rev42affected
OX Software GmbHOX App Suite0 <= 8.11affected

Weaknesses

  • CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CVE Program Container

Additional References

References