/CVE-2023-41508

CVE-2023-41508 - A hard-coded password in Super Store Finder v3.6 allows attackers to access the administration panel.

Apache License 2.0Apache-2.0

CVE-2023-41508

CVE-2023-41508 - A hard-coded password in Super Store Finder v3.6 allows attackers to access the administration panel.

Vulnerability Type

Incorrect Access Control

Vendor of Product

Super Store Finder

Affected Product Code Base

Super Store Finder - Affected version 3.6 or below. Fixed in version 3.7

CVSS v3.1 Vector (Base Score)

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)

Affected Component

Affected Web admin console

Attack Type

Remote

Impact Denial of Service

true

Impact Escalation of Privileges

true

Impact Code execution

true

Attack Vectors

The default admin password (admin/password) is hardcoded, defeating the authentication's purpose. Besides, the default admin username and password could not be changed.

Screenshot of the hardcoded password (admin/password) Screenshot of the indicator of error-based SQL injection

Screenshot of the Proof-of-Concept to inject stored cross-site scripting (XSS) due to the absence of input validation for the admin panel Screenshot of the Proof-of-Concept to extract the users table using SQLMap

Screenshot of the Proof-of-Concept to trigger stored cross-site scripting (XSS) Screenshot of the Proof-of-Concept to extract the users table using SQLMap

Patch Notes

https://superstorefinder.net/support/forums/topic/super-store-finder-patch-notes/