CVE-2023-46700 – This is a critical SQL injection vulnerability ... (How to Fix)

Q: What is the severity of CVE-2023-46700?

CVE-2023-46700 has a CVSS score of 9.8 (CRITICAL). This is a critical SQL injection vulnerability in LuxCal Web Calendar that allows remote unauthenticated attackers to execute arbitrary SQL commands. Attackers can read, modify, or delete database contents, potentially gaining full control of affected systems. All users running vulnerable versions of LuxCal Web Calendar are affected.

📋 TL;DR

This is a critical SQL injection vulnerability in LuxCal Web Calendar that allows remote unauthenticated attackers to execute arbitrary SQL commands. Attackers can read, modify, or delete database contents, potentially gaining full control of affected systems. All users running vulnerable versions of LuxCal Web Calendar are affected.

💻 Affected Systems

Products:

LuxCal Web Calendar

Versions: MySQL version prior to 5.2.4M, SQLite version prior to 5.2.4L

Operating Systems: All operating systems running LuxCal

Default Config Vulnerable: ⚠️ Yes

Notes: Both MySQL and SQLite database backends are affected. The vulnerability exists in the core calendar application.

📦 What is this software?

Luxcal Web Calendar by Luxsoft

View all CVEs affecting Luxcal Web Calendar →

Luxcal Web Calendar by Luxsoft

View all CVEs affecting Luxcal Web Calendar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, authentication bypass, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized access to sensitive calendar data, user information extraction, and potential privilege escalation.

🟢

If Mitigated

Limited impact if proper input validation and WAF rules are in place, though SQL injection remains dangerous even with mitigations.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation makes internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly weaponized. The unauthenticated nature and high CVSS score make this attractive to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.4M for MySQL, 5.2.4L for SQLite

Vendor Advisory: https://www.luxsoft.eu/lcforum/viewtopic.php?id=476

Restart Required: Yes

Instructions:

1. Backup your database and configuration. 2. Download the patched version from luxsoft.eu. 3. Replace vulnerable files with patched version. 4. Restart web server. 5. Verify functionality.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Input Validation

all

Implement strict input validation on all user inputs

🧯 If You Can't Patch

Isolate the LuxCal instance behind a reverse proxy with strict WAF rules
Restrict network access to only trusted IP addresses

🔍 How to Verify

Check if Vulnerable:

Check LuxCal version in admin panel or by examining version.php file. Compare against vulnerable versions.

Check Version:

Check admin panel or view source of login page for version information

Verify Fix Applied:

Confirm version is 5.2.4M (MySQL) or 5.2.4L (SQLite) or later. Test SQL injection attempts should be blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web logs
Multiple failed login attempts with SQL syntax
Unexpected database queries

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.)
Requests to calendar endpoints with unusual parameters

SIEM Query:

web_logs WHERE (url CONTAINS 'luxcal' AND (message CONTAINS 'sql' OR message CONTAINS 'syntax' OR parameters CONTAINS 'union' OR parameters CONTAINS 'select'))

📊 Metadata

CVE ID: CVE-2023-46700

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 20, 2023

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/jp/JVN15005948/ Third Party Advisory
https://www.luxsoft.eu/ Product
https://www.luxsoft.eu/?download Release Notes
https://www.luxsoft.eu/lcforum/viewtopic.php?id=476 Issue Tracking
https://jvn.jp/en/jp/JVN15005948/ Third Party Advisory
https://www.luxsoft.eu/ Product
https://www.luxsoft.eu/?download Release Notes
https://www.luxsoft.eu/lcforum/viewtopic.php?id=476 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46700, you might also want to check these: