CVE-2023-6145 – This SQL injection vulnerability in Softomi Adv... (How to Fix)

Q: What is the severity of CVE-2023-6145?

CVE-2023-6145 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in Softomi Advanced C2C Marketplace Software allows attackers to execute arbitrary SQL commands against the database. It affects all versions before December 12, 2023, potentially compromising sensitive data and system integrity.

📋 TL;DR

This SQL injection vulnerability in Softomi Advanced C2C Marketplace Software allows attackers to execute arbitrary SQL commands against the database. It affects all versions before December 12, 2023, potentially compromising sensitive data and system integrity.

💻 Affected Systems

Products:

Softomi Advanced C2C Marketplace Software

Versions: All versions before 12122023 (December 12, 2023)

Operating Systems: Not specified - likely web application platform independent

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the core marketplace application; specific vulnerable endpoints not detailed in CVE description.

📦 What is this software?

Advanced C2c Marketplace Software by Softomi

View all CVEs affecting Advanced C2c Marketplace Software →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution on the database server.

🟠

Likely Case

Unauthorized access to sensitive user data (personal information, payment details), manipulation of marketplace listings, and privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error-based information disclosure.

🌐 Internet-Facing: HIGH - Marketplace software is typically internet-facing, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - If deployed internally only, risk is reduced but still significant for authenticated users.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities typically have low exploitation complexity; unauthenticated exploitation suggests vulnerable endpoints don't require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version dated 12122023 or later

Vendor Advisory: https://www.usom.gov.tr/bildirim/tr-23-0724

Restart Required: Yes

Instructions:

1. Contact Istanbul Soft Informatics for updated version. 2. Backup database and application. 3. Install version dated December 12, 2023 or later. 4. Restart application services. 5. Verify functionality.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection rules to block malicious requests

Input Validation Filter

all

Implement application-level input validation to sanitize user inputs

🧯 If You Can't Patch

Isolate the application behind a reverse proxy with strict input validation
Implement database-level controls: minimal privileges, stored procedures, and query parameterization

🔍 How to Verify

Check if Vulnerable:

Check application version in admin panel or configuration files; if version date is before December 12, 2023, it's vulnerable.

Check Version:

Check application admin interface or configuration files for version information

Verify Fix Applied:

Confirm version is 12122023 or later and test SQL injection payloads against application endpoints.

📡 Detection & Monitoring

Log Indicators:

Unusual database query patterns
SQL syntax errors in application logs
Multiple failed login attempts with SQL payloads

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, INSERT, etc.)
Unusual database port traffic from web servers

SIEM Query:

source="web_logs" AND ("SELECT" OR "UNION" OR "INSERT" OR "DELETE") AND status=200

📊 Metadata

CVE ID: CVE-2023-6145

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 21, 2023

Last Updated: November 21, 2024

🔗 References

https://www.usom.gov.tr/bildirim/tr-23-0724 Third Party Advisory
https://www.usom.gov.tr/bildirim/tr-23-0724 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6145, you might also want to check these: