CVE-2023-4296

🗓️ 29 Aug 2023 21:42:48Reported by icscertType

cve🔗 web.nvd.nist.gov👁 34 Views🌐 WEB

If admin user clicks malicious link, code injection may occu

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2023-4296	30 Aug 202302:17	–	circl
CNNVD	Intland Software codeBeamer ALM 跨站脚本漏洞	29 Aug 202300:00	–	cnnvd
Cvelist	CVE-2023-4296 PTC Codebeamer Cross site scripting	29 Aug 202321:42	–	cvelist
EUVD	EUVD-2023-54167	3 Oct 202520:07	–	euvd
ICS	PTC Codebeamer	29 Aug 202306:00	–	ics
NVD	CVE-2023-4296	29 Aug 202322:15	–	nvd
Packet Storm	PTC - Codebeamer Cross Site Scripting	18 Sep 202300:00	–	packetstorm
Prion	Code injection	29 Aug 202322:15	–	prion
Positive Technologies	PT-2023-5334 · Ptc · Ptc Codebeamer	29 Aug 202300:00	–	ptsecurity
Vulnrichment	CVE-2023-4296 PTC Codebeamer Cross site scripting	29 Aug 202321:42	–	vulnrichment

NVD

Vulners

Node

intland codebeamerMatch21.09.0-

intland codebeamerMatch21.09.0sp1

intland codebeamerMatch21.09.0sp10

intland codebeamerMatch21.09.0sp11

intland codebeamerMatch21.09.0sp12

intland codebeamerMatch21.09.0sp13

intland codebeamerMatch21.09.0sp2

intland codebeamerMatch21.09.0sp3

intland codebeamerMatch21.09.0sp4

intland codebeamerMatch21.09.0sp5

intland codebeamerMatch21.09.0sp6

intland codebeamerMatch21.09.0sp7

intland codebeamerMatch21.09.0sp8

intland codebeamerMatch21.09.0sp9

intland codebeamerMatch22.04.0-

intland codebeamerMatch22.04.0sp1

intland codebeamerMatch22.04.0sp2

intland codebeamerMatch22.04.0sp3

intland codebeamerMatch22.04.0sp4

intland codebeamerMatch22.04.0sp5

intland codebeamerMatch22.10.0-

intland codebeamerMatch22.10.0sp1

intland codebeamerMatch22.10.0sp2

intland codebeamerMatch22.10.0sp3

intland codebeamerMatch22.10.0sp4

intland codebeamerMatch22.10.0sp5

intland codebeamerMatch22.10.0sp6

intland codebeamerMatch22.10.0sp7

intland codebeamerMatch22.10.0sp8

[
  {
    "defaultStatus": "unaffected",
    "product": "Codebeamer",
    "vendor": "PTC",
    "versions": [
      {
        "lessThanOrEqual": "v22.10-SP7",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "v22.04-SP5",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      },
      {
        "lessThanOrEqual": "v21.09-SP13",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "2.0"
      }
    ]
  }
]

Source	Link
packetstormsecurity	www.packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html
seclists	www.seclists.org/fulldisclosure/2023/Sep/10
cisa	www.cisa.gov/news-events/ics-advisories/icsa-23-241-01
codebeamer	www.codebeamer.com/cb/wiki/31346480

Parameter	Position	Path	Description	CWE
fileName	query param	/errorHandler.spr?fileName=<html onpointermove = alert(window.origin)>	Reflected XSS via errorHandler.spr allows injection of arbitrary JavaScript to execute in admin's browser when clicking the crafted link	CWE-79
<html onpointermove = alert(window.origin)>	query param	/errorHandler.spr?fileName=<html onpointermove = alert(window.origin)>	Reflected XSS via errorHandler.spr allows injection of arbitrary JavaScript to execute in admin's browser when clicking the crafted link	CWE-79

13 Feb 2025 17:17Current

6.7Medium risk

Vulners AI Score6.7

CVSS 3.16.1 - 8.8

EPSS0.01305

SSVC

CWE-79