CVE-2023-36645 – This SQL injection vulnerability in ITB-GmbH Tr... (How to Fix)

Q: What is the severity of CVE-2023-36645?

CVE-2023-36645 has a CVSS score of 9.1 (CRITICAL). This SQL injection vulnerability in ITB-GmbH TradePro v9.5 allows remote attackers to execute arbitrary SQL queries through the oordershow component in customer functions. Attackers can potentially access, modify, or delete database content. All users running vulnerable versions of TradePro v9.5 are affected.

📋 TL;DR

This SQL injection vulnerability in ITB-GmbH TradePro v9.5 allows remote attackers to execute arbitrary SQL queries through the oordershow component in customer functions. Attackers can potentially access, modify, or delete database content. All users running vulnerable versions of TradePro v9.5 are affected.

💻 Affected Systems

Products:

ITB-GmbH TradePro

Versions: v9.5

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the customer function's oordershow component specifically. All installations of v9.5 are vulnerable unless patched.

📦 What is this software?

Tradepro by Itb Pim

View all CVEs affecting Tradepro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, privilege escalation to system-level access, and potential lateral movement to other systems.

🟠

Likely Case

Unauthorized access to customer data, order information, and potentially authentication credentials stored in the database.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available on GitHub. SQL injection vulnerabilities are commonly weaponized due to their impact and relative ease of exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

1. Contact ITB-GmbH for official patch or upgrade path. 2. Apply input validation and parameterized queries to the oordershow component. 3. Test thoroughly in development environment before production deployment.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns targeting the oordershow component

Database Permission Restrictions

all

Limit database user permissions to only necessary operations (SELECT only, no DROP, DELETE, UPDATE)

🧯 If You Can't Patch

Isolate the TradePro system from internet access and restrict to internal network only
Implement strict network segmentation and monitor all database queries from the application

🔍 How to Verify

Check if Vulnerable:

Test the oordershow component with SQL injection payloads (e.g., ' OR '1'='1) in customer function parameters

Check Version:

Check TradePro version in application interface or configuration files

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return error messages or are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from application user
SQL syntax errors in application logs
Multiple failed login attempts followed by SQL-like patterns

Network Indicators:

Unusual database connection patterns
SQL keywords in HTTP POST/GET parameters to oordershow endpoint

SIEM Query:

source="tradepro_logs" AND ("sql" OR "union" OR "select" OR "insert" OR "delete") AND "oordershow"

📊 Metadata

CVE ID: CVE-2023-36645

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-94

Published: April 4, 2024

Last Updated: April 24, 2025

🔗 References

https://github.com/caffeinated-labs/CVE-2023-36645 Exploit,Third Party Advisory
https://github.com/caffeinated-labs/CVE-2023-36645 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36645, you might also want to check these: