Omnis Studio 10.22.00 has incorrect access control. It advertises a feature for making Omnis libraries "always private" - this is supposed to be an irreversible operation. However, due to implementation issues, "always private" Omnis libraries can be opened by the Omnis Studio browser by bypassing specific checks. This violates the expected behavior of an "irreversible operation".
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/173695/Omnis-Studio-10.22.00-Library-Setting-Bypass.html | Exploit Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2023/Jul/41 | Exploit Mailing List Third Party Advisory |
http://seclists.org/fulldisclosure/2023/Jul/43 | Not Applicable |
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-005.txt | Third Party Advisory |
Configurations
History
31 Jul 2023, 18:42
Type | Values Removed | Values Added |
---|---|---|
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jul/43 - Not Applicable | |
References | (MISC) http://packetstormsecurity.com/files/173695/Omnis-Studio-10.22.00-Library-Setting-Bypass.html - Exploit, Third Party Advisory, VDB Entry | |
References | (MISC) https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-005.txt - Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2023/Jul/41 - Exploit, Mailing List, Third Party Advisory | |
CPE | cpe:2.3:a:omnis:studio:10.22.00:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.3 |
First Time |
Omnis studio
Omnis |
|
CWE | NVD-CWE-Other |
26 Jul 2023, 07:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
24 Jul 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
21 Jul 2023, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Jul 2023, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-20 18:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-38335
Mitre link : CVE-2023-38335
CVE.ORG link : CVE-2023-38335
JSON object : View
Products Affected
omnis
- studio
CWE