CVE-2023-4708
published 2023-09-01CVE-2023-4708: A vulnerability was found in Infosoftbd Clcknshop 1.0.0. It has been rated as critical. This issue affects some unknown processing of the file /collection/all…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
45.64%
98.6th percentile
A vulnerability was found in Infosoftbd Clcknshop 1.0.0. It has been rated as critical. This issue affects some unknown processing of the file /collection/all of the component GET Parameter Handler. The manipulation of the argument tag leads to sql injection. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-238571. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| infosoftbd | clcknshop | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor GET requests to /collection/all for SQL injection patterns in the 'tag' parameter, specifically time-based blind injection using SLEEP() or XOR constructs. ↗
- →Detect time-based blind SQL injection attempts targeting MySQL via the 'tag' parameter — look for payloads containing SLEEP(), XOR, and nested SELECT statements. ↗
- →The vulnerable path is /collection/all in Infosoftbd Clcknshop 1.0.0; alert on anomalous or malformed values in the 'tag' GET parameter on this endpoint. ↗
- ·The injection is time-based blind (SLEEP-based), meaning it will not produce visible error output — detection must rely on anomalous response latency or payload pattern matching rather than error-based signatures. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2023-09-01
Published