Lucene search

[email protected]NVD:CVE-2023-25267

HistoryMar 15, 2023 - 10:15 p.m.

CVE-2023-25267

2023-03-1522:15:10

CWE-787

[email protected]

web.nvd.nist.gov

cve-2023-25267

gfi kerio connect

buffer overflow

webmail

2fasetup

authenticated request

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.7%

JSON

An issue was discovered in GFI Kerio Connect 9.4.1 patch 1 (fixed in 10.0.0). There is a stack-based Buffer Overflow in the webmail component’s 2FASetup function via an authenticated request with a long primaryEMailAddress field to the webmail/api/jsonrpc URI.

Affected configurations

NVD

Node

gfikerio_connectMatch9.4.1patch1

References

gist.github.com/Frycos/62fa664bacd19a85235be19c6e4d7599

support.kerioconnect.gfi.com/hc/en-us/articles/9044634878226-Kerio-Connect-10-0-0-Release-Notes

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

36.7%

JSON

Related for NVD:CVE-2023-25267

prion1 cvelist1 cve1