CVE-2023-34209

Exposure of Sensitive System Information to an Unauthorized Control Sphere in create template function in EasyUse MailHunter Ultimate 2023 and earlier allow remote authenticated users to obtain the absolute path via unencrypted VIEWSTATE parameter.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://zuso.ai/Advisory/ZA-2023-06	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:easyuse:mailhunter_ultimate:*:*:*:*:*:*:*:*

History

20 Oct 2023, 18:09

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
First Time		Easyuse mailhunter Ultimate Easyuse
CPE		cpe:2.3:a:easyuse:mailhunter_ultimate::::::::
References	~~(MISC) https://zuso.ai/Advisory/ZA-2023-06 -~~	(MISC) https://zuso.ai/Advisory/ZA-2023-06 - Third Party Advisory
CWE		NVD-CWE-Other

17 Oct 2023, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-17 05:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-34209

Mitre link : CVE-2023-34209

CVE.ORG link : CVE-2023-34209

JSON object : View

Products Affected

easyuse

mailhunter_ultimate

CWE

NVD-CWE-Other CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

{"id": "CVE-2023-34209", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "ART@zuso.ai", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}]}, "published": "2023-10-17T05:15:50.207", "references": [{"url": "https://zuso.ai/Advisory/ZA-2023-06", "tags": ["Third Party Advisory"], "source": "ART@zuso.ai"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "ART@zuso.ai", "description": [{"lang": "en", "value": "CWE-497"}]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere in create template function in EasyUse MailHunter Ultimate 2023 and earlier allow remote authenticated users to obtain the absolute path via unencrypted VIEWSTATE parameter."}, {"lang": "es", "value": "La exposici\u00f3n de informaci\u00f3n confidencial del sistema a una esfera de control no autorizada en la funci\u00f3n de creaci\u00f3n de plantilla en EasyUse MailHunter Ultimate 2023 y versiones anteriores permite a los usuarios autenticados remotamente obtener la ruta absoluta a trav\u00e9s del par\u00e1metro VIEWSTATE no cifrado."}], "lastModified": "2023-10-20T18:09:35.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:easyuse:mailhunter_ultimate:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94D027C5-7AB4-4652-A7E8-4F979194ED01", "versionEndIncluding": "2023"}], "operator": "OR"}]}], "sourceIdentifier": "ART@zuso.ai"}