CVE-2023-35066 Infodrom Software CVE debrief

Who should care

Organizations running Infodrom E-Invoice Approval System versions earlier than v.20230701 should treat this as high priority, especially teams responsible for exposed application servers, database-backed approval workflows, and patch management.

Technical summary

The NVD record identifies an SQL injection weakness in Infodrom E-Invoice Approval System with a vulnerable version range ending before 20230701. The reported CVSS vector indicates the flaw is reachable over the network without privileges or user interaction, and the impact is rated high for confidentiality, integrity, and availability.

Defensive priority

Critical. Prioritize remediation promptly because the vulnerability is remotely reachable, requires no authentication, and is scored 9.8/10.

Recommended defensive actions

• Upgrade Infodrom E-Invoice Approval System to v.20230701 or later.
• Inventory all instances of the product, including test, staging, and customer-facing deployments.
• Review application and database logs for anomalous query patterns or unexpected error spikes around exposed endpoints.
• Restrict exposure of the application where possible until patching is complete.
• Validate that any compensating controls and WAF rules do not rely on assumptions about user authentication for this application.

Evidence notes

The supplied NVD metadata marks the product as vulnerable before v.20230701 and assigns CWE-89. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, supporting a severe remotely reachable impact profile. A third-party advisory reference from USOM is included in the source record.

Official resources