CVE-2023-26439

HIGH Year: 2023
CVSS v3 Score
7.8
High
Weakness Type
CWE-89
View all →

Vulnerability Description

The cacheservice API could be abused to inject parameters with SQL syntax which was insufficiently sanitized before getting executed as SQL statement. Attackers with access to a local or restricted network were able to perform arbitrary SQL queries, discovering other users cached data. We have improved the input check for API calls and filter for potentially malicious content. No publicly available exploits are known.

Related Vulnerabilities

CVE-2015-4669

HIGH
CVSS:7.8(High)

The MySQL "root" user in Xsuite 2.x does not have a password set, which allows local users to access databases on the system.

CWE-892015

CVE-2019-12372

HIGH
CVSS:7.8(High)

Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form.

CWE-892019

CVE-2019-20573

HIGH
CVSS:7.8(High)

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. There is local SQL injection in the RCS Content Provider. The Samsung IDs are SVE-2019-14059, SVE-2019-14685...

CWE-892019

CVE-2019-20574

HIGH
CVSS:7.8(High)

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. There is local SQL injection in the Wi-Fi history Content Provider. The Samsung ID is SVE-2019-14061 (August...

CWE-892019

CVE-2019-20591

HIGH
CVSS:7.8(High)

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. There is local SQL injection in the Gear VR Service Content Provider. The Samsung ID is SVE-2019-14058 (July...

CWE-892019

CVE-2019-20592

HIGH
CVSS:7.8(High)

An issue was discovered on Samsung mobile devices with N(7.x), O(8.x), and P(9.0) software. There is local SQL injection in the Story Video Editor Content Provider. The Samsung ID is SVE-2019-14062 (J...

CWE-892019