PatchSiren cyber security CVE debrief
CVE-2023-2889 Veon Computer CVE debrief
CVE-2023-2889 is a critical SQL injection vulnerability in Veom Service Tracking Software. NVD rates it as network exploitable with no privileges or user interaction required, and the impact is high for confidentiality, integrity, and availability. The advisory text says the affected software is Service Tracking Software before crm 2.0.
- Vendor
- Veon Computer
- Product
- Service Tracking Software
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-11-22
- Original CVE updated
- 2024-11-21
- Advisory published
- 2023-11-22
- Advisory updated
- 2024-11-21
Who should care
Organizations running Veom/Veon Service Tracking Software, especially admins responsible for externally reachable or business-critical deployments, should treat this as urgent. Security teams should prioritize any instance that may match the affected product/version range and verify exposure promptly.
Technical summary
NVD lists this issue as CWE-89 (SQL Injection) with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a remotely reachable flaw that can be exploited without authentication or user interaction. The source data ties the vulnerability to cpe:2.3:a:veom:service_tracking:*:*:*:*:*:*:*:* and marks versions through 20231122 as vulnerable, while the description states "before crm 2.0." Because the versioning signals differ, defenders should validate the exact affected build against vendor guidance before concluding exposure scope.
Defensive priority
Critical / immediate. This is an unauthenticated network-reachable SQL injection with high impact, so exposed installations should be prioritized for patching or containment now.
Recommended defensive actions
- Inventory all Service Tracking installations and confirm whether any instance matches the affected version range.
- Treat internet-facing or partner-accessible deployments as highest priority for containment and upgrade.
- Upgrade to the vendor-fixed release referenced by the advisory; verify whether crm 2.0 or later is the remediation threshold before closing the issue.
- If immediate patching is not possible, restrict access to the application, place it behind strong network controls, and minimize exposure to trusted users only.
- Review application and database logs for signs of anomalous SQL activity or unexpected queries around the disclosure period.
- If compromise is suspected, rotate credentials and assess database integrity and access history.
- Apply defense-in-depth controls such as parameterized queries, server-side input validation, least-privilege database accounts, and WAF rules where appropriate.
Evidence notes
Grounded in the NVD CVE record and the USOM third-party advisory linked from the source corpus. The source data contains an inconsistency in vendor spelling ("Veom" vs. "Veon") and in version wording ("before crm 2.0" versus NVD CPE coverage through 20231122); this debrief preserves both as reported and avoids asserting a fixed remediation version beyond what the source text supports.
Official resources
-
CVE-2023-2889 CVE record
CVE.org
-
CVE-2023-2889 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
CVE published by NVD and CVE.org on 2023-11-22 and last modified on 2024-11-21 in the supplied source data. No KEV listing is present in the provided corpus.