cbcvebase.
CVE-2023-36284
published 2023-06-23

CVE-2023-36284: An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to…

PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
3.16%
86.4th percentile
An unauthenticated Time-Based SQL injection found in Webkul QloApps 1.6.0 via GET parameter date_from, date_to, and id_product allows a remote attacker to bypass a web application's authentication and authorization mechanisms and retrieve the contents of an entire database.

Affected

1 ranges
VendorProductVersion rangeFixed in
webkulqloapps

Detection & IOCsextracted from sources · hover to see the quote

url/quick-order?date_from=2023-06-12%2000:00:00&date_to=2023-06-13%2000:00:00&deleteFromOrderLine=1&id_product=(select(0)from(select(sleep(5)))v)
path/quick-order
commandid_product=(select(0)from(select(sleep(5)))v)
  • Detect time-based SQL injection attempts against QloApps by monitoring GET requests to /quick-order with a sleep() payload in the id_product, date_from, or date_to parameters; a response duration >= 5 seconds indicates successful injection.
  • Fingerprint vulnerable QloApps instances by checking for the string 'QloApps' (case-insensitive) in the HTTP response body of the root path GET /.
  • Use FOFA queries 'title="QloApps"' or 'title="qloapps"' to identify internet-exposed QloApps instances for proactive scanning.
  • Confirm exploitation by checking that the response body contains the string 'Guest Information' alongside a response duration >= 5 seconds.
  • ·The injection is unauthenticated and targets GET parameters date_from, date_to, and id_product on the /quick-order endpoint; no session or authentication token is required to exploit.
  • ·The Nuclei template uses a 20-second HTTP timeout to accommodate the sleep(5) payload; WAF or network-level timeout rules shorter than this may suppress detection.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.