PatchSiren cyber security CVE debrief

CVE-2023-6191 Egehan Security CVE debrief

CVE-2023-6191 is a critical SQL injection vulnerability in Egehan Security WebPDKS. NVD records it as remotely exploitable with no privileges or user interaction required, and assigns a CVSS 3.1 score of 9.8. The issue is mapped to CWE-89 and is described as affecting WebPDKS through 2024-03-29. The source description also notes that the vendor was contacted early about the disclosure but did not respond.

Vendor: Egehan Security
Product: WebPDKS
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-03-29
Original CVE updated: 2026-05-20
Advisory published: 2024-03-29
Advisory updated: 2026-05-20

Who should care

Administrators and security teams running WebPDKS, especially any environment exposing the application to untrusted network traffic. Because the flaw is network-reachable and requires no authentication or user action, internet-facing deployments and systems that process sensitive data should treat this as urgent.

Technical summary

The vulnerability is an SQL injection issue in WebPDKS, indicating that input is not properly neutralized before being incorporated into SQL commands. NVD classifies the weakness as CWE-89 and assigns the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting a remotely reachable attack path with potentially severe confidentiality, integrity, and availability consequences. The NVD CPE entry marks webpdks:webpdks as vulnerable without specifying a narrowed version range or a fixed release in the supplied data.

Defensive priority

Urgent. The combination of network exposure, no privileges, no user interaction, and high impact across confidentiality, integrity, and availability makes this a high-priority remediation item.

Recommended defensive actions

Inventory all WebPDKS deployments and identify which instances are reachable from untrusted networks.
Restrict exposure immediately where possible, such as limiting network access to trusted administrative sources.
Apply vendor or distributor guidance as soon as a fix becomes available; the supplied data does not identify a patched version.
Review application and database logs for unexpected SQL errors, unusual query patterns, or signs of tampering around the disclosure date and after.
If patching is not immediately available, place compensating controls in front of the application, such as strict access controls and any available input validation or web application protections.
Validate that downstream systems and data stores accessed by WebPDKS have not been impacted by unauthorized queries or data changes.

Evidence notes

Evidence in the supplied corpus shows: NVD classifies CVE-2023-6191 as CWE-89 with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; the vulnerable CPE is listed as cpe:2.3:a:webpdks:webpdks:-:*:*:*:*:*:*:*; the description states the issue affects WebPDKS through 2024-03-29; and the source description notes early vendor contact without response. Official and source references include NVD, CVE.org, and USOM-linked advisories.

Official resources

CVE-2023-6191 CVE record
CVE.org
CVE-2023-6191 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory

Published on 2024-03-29. The supplied description states that the vendor was contacted early about the disclosure but did not respond.