CVE-2023-4309 CRITICAL

CVE-2023-4309

Vendor Election Services Co. (Esc)

Product Internet Election Service

Weakness CWE-89 · SQLi

Published October 10, 2023

Last update September 18, 2024

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Election Services Co. (ESC) Internet Election Service is vulnerable to SQL injection in multiple pages and parameters. These vulnerabilities allow an unauthenticated, remote attacker to read or modify data for any elections that share the same backend database. ESC deactivated older and unused elections and enabled web application firewall (WAF) protection for current and future elections on or around 2023-08-12.

Key dates

02Disclosure timeline

October 10, 2023 CVE published

September 18, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-4309 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/89.html

Related vulnerabilities

Identifiers

CVE CVE-2023-4309

CWE CWE-89

CVSS 10.0 / CRITICAL

Affected versions