MidnightBSD

Advisories for davinci_project

CVE-2023-24206

Davinci v0.3.0-rc was discovered to contain a SQL injection vulnerability via the copyDisplay function.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
davinci_project davinci 0.3.0
CVE-2023-31847

In davinci 0.3.0-rc after logging in, the user can connect to the mysql malicious server by controlling the data source to read arbitrary files on the client side.

Products Affected

Vendor Product Version
davinci_project davinci 0.3.0
CVE-2023-31848

davinci 0.3.0-rc is vulnerable to Server-side request forgery (SSRF).

Products Affected

Vendor Product Version
davinci_project davinci 0.3.0