CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33363
https://notcve.org/view.php?id=CVE-2023-33363
03 Aug 2023 — An authentication bypass vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows unauthenticated users to access some functionality on BioStar 2 servers. • https://claroty.com/team82/disclosure-dashboard/cve-2023-33363 • CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33365
https://notcve.org/view.php?id=CVE-2023-33365
03 Aug 2023 — A path traversal vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows unauthenticated attackers to fetch arbitrary files from the server's web server. • https://claroty.com/team82/disclosure-dashboard/cve-2023-33365 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33364
https://notcve.org/view.php?id=CVE-2023-33364
03 Aug 2023 — An OS Command injection vulnerability exists in Suprema BioStar 2 before V2.9.1, which allows authenticated users to execute arbitrary OS commands on the BioStar 2 server. • https://claroty.com/team82/disclosure-dashboard/cve-2023-33364 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33366
https://notcve.org/view.php?id=CVE-2023-33366
03 Aug 2023 — A SQL injection vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows authenticated users to inject arbitrary SQL directives into an SQL statement and execute arbitrary SQL commands. • https://claroty.com/team82/disclosure-dashboard/cve-2023-33366 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31923
https://notcve.org/view.php?id=CVE-2023-31923
22 May 2023 — Suprema BioStar 2 before 2022 Q4, v2.9.1 has Insecure Permissions. A vulnerability in the web application allows an authenticated attacker with "User Operator" privileges to create a highly privileged user account. The vulnerability is caused by missing server-side validation, which can be exploited to gain full administrator privileges on the system. • https://nobugescapes.com/blog/creating-a-new-user-with-admin-privilege • CWE-281: Improper Preservation of Permissions •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 3CVE-2023-27167 – Suprema BioStar 2 v2.8.16 - SQL Injection
https://notcve.org/view.php?id=CVE-2023-27167
27 Mar 2023 — Suprema BioStar 2 v2.8.16 was discovered to contain a SQL injection vulnerability via the values parameter at /users/absence?search_month=1. Suprema BioStar 2 version 2.8.16 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/51340 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 2CVE-2022-38351
https://notcve.org/view.php?id=CVE-2022-38351
19 Sep 2022 — A vulnerability in Suprema BioStar (aka Bio Star) 2 v2.8.16 allows attackers to escalate privileges to System Administrator via a crafted PUT request to the update profile page. Una vulnerabilidad en Suprema BioStar (también conocido como Bio Star) 2 v2.8.16 permite a los atacantes escalar privilegios al administrador del sistema a través de una solicitud PUT elaborada a la página de perfil de actualización • https://nobugescapes.com/blog/privilege-escalation-from-user-operator-to-system-administrator • CWE-269: Improper Privilege Management •