Lucene search

TwcertCVELIST:CVE-2023-41357

HistoryNov 03, 2023 - 6:09 a.m.

CVE-2023-41357 Galaxy Software Services Vitals ESP - Arbitrary File Upload

2023-11-0306:09:18

CWE-434

twcert

www.cve.org

cve-2023-41357

galaxy software services

vitals esp

arbitrary file upload

online knowledge base

insufficient filtering

validation

remote attacker

general user privilege

vulnerability

execute scripts

arbitrary directories

system operations

service disruption

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.2%

JSON

Galaxy Software Services Corporation Vitals ESP is an online knowledge base management portal, it has insufficient filtering and validation during file upload. An authenticated remote attacker with general user privilege can exploit this vulnerability to upload and execute scripts onto arbitrary directories to perform arbitrary system operations or disrupt service.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Vitals ESP ",
    "vendor": "Galaxy Software Services",
    "versions": [
      {
        "status": "affected",
        "version": "6.1 and prior"
      }
    ]
  }
]

References

www.twcert.org.tw/tw/cp-132-7508-6d1ef-1.html

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.2%

JSON

Related for CVELIST:CVE-2023-41357