{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-46945", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-09T20:47:17.674Z", "dateReserved": "2023-10-30T00:00:00.000Z", "datePublished": "2026-04-08T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-08T16:31:33.612Z"}, "descriptions": [{"lang": "en", "value": "QD 20230821 is vulnerable to Server-side request forgery (SSRF) via a crafted request"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://qd-today.github.io/qd/"}, {"url": "https://gist.github.com/kurokoleung/5b36b2013a54adadcce79967d3e4f056"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T20:47:01.299386Z", "id": "CVE-2023-46945", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:47:17.674Z"}}]}, "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qd-today:qd:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD7FAE1E-5E6B-40B3-B648-DF32C05DC03D", "versionEndIncluding": "20230821", "versionStartIncluding": "20220208", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "QD 20230821 is vulnerable to Server-side request forgery (SSRF) via a crafted request"}], "id": "CVE-2023-46945", "lastModified": "2026-04-14T19:29:23.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T17:17:01.010", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://gist.github.com/kurokoleung/5b36b2013a54adadcce79967d3e4f056"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://qd-today.github.io/qd/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "qd", "vendor": "qd-today"}], "analysis": {"en": {"generated_at": "2026-04-14T21:30:00.254412+00:00", "value": {"mitigation_remediation": ["Apply the latest QD patch once it becomes available from QD Today.", "Restrict outbound connections from the QD service to only the endpoints required for its operation.", "Implement network segmentation to isolate the QD service from critical internal resources.", "Monitor outbound HTTP traffic for unusual requests that may indicate exploitation."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery (potential internal network access and data exposure)"}, "threat_synthesis": {"affected_systems": "The affected software is QD 20230821, a product of QD Today. The version is identified by the CPE string for QD, but no specific version range is supplied; therefore any installation of QD that includes the relevant component may be vulnerable.", "description_and_impact": "The vulnerability allows an attacker to send a crafted HTTP request that the QD service will forward to any target defined by the attacker, enabling the internal network or external resources to be accessed or enumerated. This server\u2011side request forgery can expose sensitive data and internal services. The weakness is classified as CWE\u2011918, reflecting improper validation of outbound requests. The attacker could potentially retrieve information, compromise internal hosts, or assist in further attacks such as lateral movement.", "risk_and_exploitability": "The CVSS score of 9.1 indicates a high severity. The EPSS score of less than 1% suggests that exploitation is currently infrequent, and the vulnerability is not listed in the CISA catalog of known exploited vulnerabilities. Attackers can trigger the flaw from external networks or internal actors with network access; the likely vector is remote exploitation via crafted requests as described."}}}}, "created": "2026-04-08T19:44:38.280232+00:00", "title": "Server\u2011Side Request Forgery in QD 20230821", "updated": "2026-04-15T16:15:11.958814+00:00", "vendors": ["qd-today", "qd-today$PRODUCT$qd"]}