Login Sign Up

CVE-2023-29809

9.8 CRITICAL
Remote Code Execution SQL Injection

📋 TL;DR

CVE-2023-29809 is a critical SQL injection vulnerability in Maximilian Vogt companymaps (cmaps) version 8.0 that allows remote attackers to execute arbitrary SQL commands via crafted requests. This can lead to complete system compromise, data theft, or unauthorized access. Organizations running companymaps v8.0 are affected.

💻 Affected Systems

Products:
  • Maximilian Vogt companymaps (cmaps)
Versions: 8.0
Operating Systems: Any OS running companymaps
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of companymaps v8.0 are vulnerable by default. No special configuration required.

📦 What is this software?

Companymaps by Companymaps Project

View all CVEs affecting Companymaps →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover, data exfiltration, ransomware deployment, and lateral movement across the network.

🟠

Likely Case

Database compromise leading to sensitive data theft, privilege escalation, and potential remote code execution.

🟢

If Mitigated

Limited impact with proper input validation, WAF protection, and network segmentation preventing exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit scripts available. Attack requires no authentication and minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns targeting companymaps endpoints

Input Validation Filter

all

Add input validation middleware to sanitize all user inputs before processing

🧯 If You Can't Patch

  • Isolate the companymaps server in a segmented network zone with strict firewall rules
  • Implement network-based intrusion detection/prevention systems (IDS/IPS) to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if companymaps version 8.0 is installed. Review application logs for SQL injection patterns or unexpected database queries.

Check Version:

Check companymaps configuration files or admin interface for version information

Verify Fix Applied:

Test with SQL injection payloads to confirm they are blocked or sanitized. Verify WAF/IDS logs show blocked attempts.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts with SQL syntax
  • Unexpected database errors in application logs

Network Indicators:

  • HTTP requests containing SQL keywords (SELECT, UNION, INSERT, etc.) to companymaps endpoints
  • Unusual outbound database connections

SIEM Query:

source="companymaps" AND ("SELECT" OR "UNION" OR "INSERT" OR "DELETE" OR "UPDATE") AND status=200

📊 Metadata

CVE ID: CVE-2023-29809
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: May 12, 2023
Last Updated: January 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29809, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)