CVE-2023-4309
10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
Election Services Co. (ESC) Internet Election Service is vulnerable to SQL injection in multiple pages and parameters. These vulnerabilities allow an unauthenticated, remote attacker to read or modify data for any elections that share the same backend database. ESC deactivated older and unused elections and enabled web application firewall (WAF) protection for current and future elections on or around 2023-08-12.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Election Services Co. (ESC) | Internet Election Service | 0 <= 2023-08-12 | affected |
Weaknesses
- CWE-89: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ADP Enrichment
CVE Program Container
Additional References
- https://schemasecurity.co/private-elections.pdf
- https://www.youtube.com/watch?v=yeG1xZkHc64
- https://www.electionservicesco.com/pages/services_internet.php
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://schemasecurity.co/private-elections.pdf
- https://www.youtube.com/watch?v=yeG1xZkHc64
- https://www.electionservicesco.com/pages/services_internet.php
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.