/CVE-2023-41507

CVE-2023-41507 A hard coded password in Super Store Finder v3.6 allows attackers to access the administration panel.

Apache License 2.0Apache-2.0

CVE-2023-41507

CVE-2023-41507 - Super Store Finder v3.6 was discovered to contain multiple SQL injection vulnerabilities in the store locator component via the products, distance, lat, and lng parameters.

Vulnerability Type

SQL Injection

Vendor of Product

Super Store Finder

Affected Product Code Base

Super Store Finder - Affected version 3.6 or below. Fixed in version 3.7

CVSS v3.1 Vector (Base Score)

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)

Affected Component

Affected backend DBMS

Attack Type

Remote

Impact Information Disclosure

true

Attack Vectors

The 4 x parameters products, distance, lat, lng in the HTTP POST request are vulnerable to SQL Injection, no user interaction is required.

Screenshot of the indicator of error-based SQL injection Screenshot of the indicator of error-based SQL injection

Screenshot of the Proof-of-Concept to extract the users table using SQLMap Screenshot of the Proof-of-Concept to extract the users table using SQLMap

Patch Notes

https://superstorefinder.net/support/forums/topic/super-store-finder-patch-notes/