CVE-2023-34209 - OpenCVE

Exposure of Sensitive System Information to an Unauthorized Control Sphere in create template function in EasyUse MailHunter Ultimate 2023 and earlier allow remote authenticated users to obtain the absolute path via unencrypted VIEWSTATE parameter.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Easyuse	Mailhunter Ultimate

Configuration 1 [-]

cpe:2.3:a:easyuse:mailhunter_ultimate:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://zuso.ai/Advisory/ZA-2023-06

History

No history.

MITRE

Status: PUBLISHED

Assigner: ZUSO ART

Published: 2023-10-17T04:00:28.128Z

Updated: 2024-09-13T18:05:39.995Z

Reserved: 2023-05-30T09:41:32.477Z

Link: CVE-2023-34209

Vulnrichment

Updated: 2024-08-02T16:01:54.279Z

NVD

Status : Analyzed

Published: 2023-10-17T05:15:50.207

Modified: 2023-10-20T18:09:35.410

Link: CVE-2023-34209

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-34209", "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88", "state": "PUBLISHED", "assignerShortName": "ZUSO ART", "dateReserved": "2023-05-30T09:41:32.477Z", "datePublished": "2023-10-17T04:00:28.128Z", "dateUpdated": "2024-09-13T18:05:39.995Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "MailHunter Ultimate", "vendor": "EasyUse Digital Technology", "versions": [{"lessThanOrEqual": "2023", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2023-10-17T04:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere in create template function in EasyUse MailHunter Ultimate 2023 and earlier allow remote authenticated users to obtain the absolute path via unencrypted VIEWSTATE parameter."}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere in create template function in EasyUse MailHunter Ultimate 2023 and earlier allow remote authenticated users to obtain the absolute path via unencrypted VIEWSTATE parameter."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88", "shortName": "ZUSO ART", "dateUpdated": "2023-10-17T04:00:28.128Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://zuso.ai/Advisory/ZA-2023-06"}], "source": {"defect": ["ZA-2023-06"], "discovery": "EXTERNAL"}, "title": "Exposure of Sensitive System Information to an Unauthorized Control Sphere in EasyUse MailHunter Ultimate", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:01:54.279Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://zuso.ai/Advisory/ZA-2023-06"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-13T17:37:11.061159Z", "id": "CVE-2023-34209", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-13T18:05:39.995Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://zuso.ai/Advisory/ZA-2023-06", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:01:54.279Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-34209", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-13T17:37:11.061159Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-13T18:05:34.319Z"}}], "cna": {"title": "Exposure of Sensitive System Information to an Unauthorized Control Sphere in EasyUse MailHunter Ultimate", "source": {"defect": ["ZA-2023-06"], "discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "EasyUse Digital Technology", "product": "MailHunter Ultimate", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2023"}], "defaultStatus": "affected"}], "datePublic": "2023-10-17T04:00:00.000Z", "references": [{"url": "https://zuso.ai/Advisory/ZA-2023-06", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere in create template function in EasyUse MailHunter Ultimate 2023 and earlier allow remote authenticated users to obtain the absolute path via unencrypted VIEWSTATE parameter.", "supportingMedia": [{"type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere in create template function in EasyUse MailHunter Ultimate 2023 and earlier allow remote authenticated users to obtain the absolute path via unencrypted VIEWSTATE parameter.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88", "shortName": "ZUSO ART", "dateUpdated": "2023-10-17T04:00:28.128Z"}}}, "cveMetadata": {"cveId": "CVE-2023-34209", "state": "PUBLISHED", "dateUpdated": "2024-09-13T18:05:39.995Z", "dateReserved": "2023-05-30T09:41:32.477Z", "assignerOrgId": "256c161b-b921-402b-8c3b-c6c9c14d5d88", "datePublished": "2023-10-17T04:00:28.128Z", "assignerShortName": "ZUSO ART"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:easyuse:mailhunter_ultimate:*:*:*:*:*:*:*:*", "matchCriteriaId": "94D027C5-7AB4-4652-A7E8-4F979194ED01", "versionEndIncluding": "2023", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere in create template function in EasyUse MailHunter Ultimate 2023 and earlier allow remote authenticated users to obtain the absolute path via unencrypted VIEWSTATE parameter."}, {"lang": "es", "value": "La exposici\u00f3n de informaci\u00f3n confidencial del sistema a una esfera de control no autorizada en la funci\u00f3n de creaci\u00f3n de plantilla en EasyUse MailHunter Ultimate 2023 y versiones anteriores permite a los usuarios autenticados remotamente obtener la ruta absoluta a trav\u00e9s del par\u00e1metro VIEWSTATE no cifrado."}], "id": "CVE-2023-34209", "lastModified": "2023-10-20T18:09:35.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 1.4, "source": "ART@zuso.ai", "type": "Secondary"}]}, "published": "2023-10-17T05:15:50.207", "references": [{"source": "ART@zuso.ai", "tags": ["Third Party Advisory"], "url": "https://zuso.ai/Advisory/ZA-2023-06"}], "sourceIdentifier": "ART@zuso.ai", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-497"}], "source": "ART@zuso.ai", "type": "Secondary"}]}