CVE-2023-45727

Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://jvn.jp/en/jp/JVN95981460/	Third Party Advisory
https://www.proself.jp/information/153/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:northgrid:proself:::::mail_sanitize:::*
	cpe:2.3:a:northgrid:proself:::::gateway:::*
	cpe:2.3:a:northgrid:proself:::::enterprise:::*
	cpe:2.3:a:northgrid:proself:::::standard:::*

History

No history.

Information

Published : 2023-10-18 10:15

Updated : 2023-10-25 17:31

NVD link : CVE-2023-45727

Mitre link : CVE-2023-45727

CVE.ORG link : CVE-2023-45727

JSON object : View

Products Affected

northgrid

proself

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2023-45727", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-10-18T10:15:08.643", "references": [{"url": "https://jvn.jp/en/jp/JVN95981460/", "tags": ["Third Party Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "https://www.proself.jp/information/153/", "tags": ["Vendor Advisory"], "source": "vultures@jpcert.or.jp"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker."}, {"lang": "es", "value": "Proself Enterprise/Standard Edition Ver5.62 y anteriores, Proself Gateway Edition Ver1.65 y anteriores, y Proself Mail Sanitize Edition Ver1.08 y anteriores permiten a un atacante remoto no autenticado realizar ataques de entidad externa XML (XXE). Al procesar una solicitud especialmente manipulada que contiene datos XML con formato incorrecto, el atacante puede leer archivos arbitrarios en el servidor que contienen informaci\u00f3n de la cuenta."}], "lastModified": "2023-10-25T17:31:59.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:northgrid:proself:*:*:*:*:mail_sanitize:*:*:*", "vulnerable": true, "matchCriteriaId": "6D6F51B5-6B83-41C4-A1F6-9D10CB601DB5", "versionEndExcluding": "1.09"}, {"criteria": "cpe:2.3:a:northgrid:proself:*:*:*:*:gateway:*:*:*", "vulnerable": true, "matchCriteriaId": "F1BB1954-50C1-40A8-9F47-415ECBB6259F", "versionEndExcluding": "1.66"}, {"criteria": "cpe:2.3:a:northgrid:proself:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "66942ECC-2DB7-4B63-9364-FC7D71722355", "versionEndExcluding": "5.63"}, {"criteria": "cpe:2.3:a:northgrid:proself:*:*:*:*:standard:*:*:*", "vulnerable": true, "matchCriteriaId": "1ED1659B-802E-4F0F-9CF3-BD1BBED1A27F", "versionEndExcluding": "5.63"}], "operator": "OR"}]}], "sourceIdentifier": "vultures@jpcert.or.jp"}