PatchSiren cyber security CVE debrief
CVE-2023-35065 Osoft CVE debrief
CVE-2023-35065 is a critical SQL injection vulnerability affecting Osoft Paint Production Management before version 2.1. NVD rates the issue 9.8 (CVSS v3.1) and maps it to CWE-89. The vulnerability is network exploitable, requires no authentication or user interaction, and can impact confidentiality, integrity, and availability.
- Vendor
- Osoft
- Product
- Paint Production Management
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-09-05
- Original CVE updated
- 2024-11-21
- Advisory published
- 2023-09-05
- Advisory updated
- 2024-11-21
Who should care
Administrators, security teams, and operators running Osoft Paint Production Management before 2.1 should treat this as urgent, especially if the application is reachable from untrusted networks or integrated into production workflows.
Technical summary
NVD identifies CVE-2023-35065 as an SQL injection issue in Osoft's production management software, with vulnerable CPE coverage ending before 2.1. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates remote exploitation is possible without privileges or user interaction, and successful exploitation could expose data, alter records, or disrupt service.
Defensive priority
Urgent. Prioritize remediation quickly because the issue is remotely exploitable, requires no authentication, and is scored critical by CVSS.
Recommended defensive actions
- Inventory all installations of Osoft Paint Production Management and confirm whether any instance is running a version earlier than 2.1.
- Upgrade to version 2.1 or later, or otherwise apply the vendor-supported fix referenced by the official advisory.
- Restrict network exposure to the application until remediation is complete, especially from untrusted or public networks.
- Review application and database logs for signs of suspicious SQL activity or unexpected queries around the CVE disclosure period.
- If compromise is suspected, investigate affected accounts, data integrity, and related systems, and rotate credentials as appropriate.
- Use the official NVD record and the linked USOM advisory to validate remediation guidance and affected-version details.
Evidence notes
Evidence is taken from the official NVD record and its linked USOM third-party advisory reference. NVD lists the weakness as CWE-89, the CVSS vector as AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and the vulnerable version range as before 2.1. Note that source naming varies between the title text ('Paint Production Management') and the CPE entry ('Dyeing - Printing - Finishing Production Management'); the debrief preserves both as supplied without assuming they refer to different products.
Official resources
-
CVE-2023-35065 CVE record
CVE.org
-
CVE-2023-35065 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Public CVE record published on 2023-09-05T18:15:10.067Z; later modified on 2024-11-21T08:07:54.553Z. This debrief uses the published CVE date for timing context and does not treat later processing dates as the vulnerability date.