1. EXECUTIVE SUMMARY
- CVSS v3 8.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: DEXMA
- Equipment: DEXGate
- Vulnerabilities: Cross-Site Scripting, Cross-Site Request Forgery, Improper Authentication, Cleartext Transmission of Sensitive Information, Exposure of Sensitive Information to an Unauthorized Actor
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in the attacker impersonating a user, executing arbitrary code, and accessing the connected network.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following version of DEXGate is affected:
- DEXGate: Version 20130114
3.2 Vulnerability Overview
3.2.1 CROSS-SITE SCRIPTING (XSS) CWE-79
The affected product is vulnerable to a cross-site scripting vulnerability, which could allow an attacker to access the web application to introduce arbitrary Java Script by injecting an XSS payload into the ‘hostname’ parameter of the vulnerable software.
CVE-2023-40153 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
3.2.2 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
The affected product is vulnerable to a cross-site request forgery vulnerability, which may allow an attacker to perform actions with the permissions of a victim user.
CVE-2023-42435 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories