CVE-2023-35189 - OpenCVE

Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a remote code execution vulnerability that could allow an unauthenticated user to upload a malicious payload and execute it.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Iagona	Scrutisweb

Configuration 1 [-]

cpe:2.3:a:iagona:scrutisweb:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03

History

No history.

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2023-07-18T17:12:24.681Z

Updated: 2024-08-02T16:23:59.626Z

Reserved: 2023-07-13T17:28:15.859Z

Link: CVE-2023-35189

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-07-18T18:15:12.370

Modified: 2023-07-27T17:43:17.170

Link: CVE-2023-35189

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-35189", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2023-07-13T17:28:15.859Z", "datePublished": "2023-07-18T17:12:24.681Z", "dateUpdated": "2024-08-02T16:23:59.626Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ScrutisWeb", "vendor": "iagona", "versions": [{"lessThanOrEqual": "2.1.37", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Neil Graves, Jorian van den Hout, and Malcolm Stagg reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>\nIagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a remote \ncode execution vulnerability that could allow an unauthenticated user to\n upload a malicious payload and execute it.\n\n</p>"}], "value": "Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a remote \ncode execution vulnerability that could allow an unauthenticated user to\n upload a malicious payload and execute it.\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-07-18T17:14:57.706Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\nIagona has developed and released Iagona ScrutisWeb v2.1.38.\n\n<br>"}], "value": "Iagona has developed and released Iagona ScrutisWeb v2.1.38.\n\n\n"}], "source": {"discovery": "EXTERNAL"}, "title": "Iagona ScrutisWeb Unrestricted Upload of File with Dangerous Type", "x_generator": {"engine": "VINCE 2.1.2", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2023-35189"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:23:59.626Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03", "tags": ["x_transferred"]}]}]}}