Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Any user logged in to a vFairs 3.3 virtual conference or event can perform SQL injection with a malicious query to the API.
AnalysisAI
Any user logged in to a vFairs 3.3 virtual conference or event can perform SQL injection with a malicious query to the API. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. Any user logged in to a vFairs 3.3 virtual conference or event can perform SQL injection with a malicious query to the API. Affected products include: Vfairs.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.
vFairs 3.3 is affected by Remote Code Execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita
In vFairs 3.3, any user logged in to a vFairs virtual conference or event can modify any other users profile information
vFairs 3.3 is affected by Insecure Permissions. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploit
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today