CVE-2023-36645 — AI Deep Analysis Summary

🚨 **Essence**: SQL Injection in ITB-GmbH TradePro v9.5. 📉 **Consequences**: Attackers can execute arbitrary SQL queries via the 'oordershow' component. This leads to potential data theft or system manipulation.

🛡️ **Root Cause**: Improper neutralization of special elements used in an SQL command (**SQL Injection**). The 'oordershow' component fails to sanitize user input before querying the database.…

🎯 **Affected**: ITB-GmbH TradePro **v9.5**. Specifically the **B2B e-shop** platform. The vulnerability resides in the **customer functionality** module, specifically the **oordershow** component.

💀 **Impact**: High! CVSS Score indicates **High Confidentiality & Integrity** impact. Hackers can: 1. **Steal** sensitive customer/order data. 2. **Modify** database records. 3.…

⚡ **Threshold**: **LOW**. CVSS Vector: `AV:N/AC:L/PR:N/UI:N`. 1. **Network**: Remote exploit. 2. **Complexity**: Low (easy to exploit). 3. **Privileges**: None required. 4. **User Interaction**: None required.…

🔓 **Exploit**: **YES**. A public Proof-of-Concept (PoC) is available on GitHub by **caffeinated-labs**. Link: `https://github.com/caffeinated-labs/CVE-2023-36645`. Wild exploitation is possible using this tool.

🔍 **Self-Check**: Scan for **ITB-GmbH TradePro v9.5**. Look for the **oordershow** endpoint in the customer module. Use SQL injection scanners (like SQLMap) targeting this specific component.…

🩹 **Fix**: The provided data does **not** list an official vendor patch or mitigation strategy. It only references the PoC repository. Users must rely on the workaround below.

🛑 **Workaround**: Since no patch is listed: 1. **Block** access to the `oordershow` component via WAF/Network ACLs. 2. **Restrict** network access to the B2B portal. 3.…

🔥 **Urgency**: **CRITICAL**. With `PR:N` (No Privileges) and `AC:L` (Low Complexity), this is a 'plug-and-play' vulnerability for attackers. Immediate isolation or mitigation is required to prevent data breaches.