Multiple vulnerabilities in EFS Software products

Posted date 23/08/2023
Identificador

INCIBE-2023-0353

Importance
5 - Critical
Affected Resources
  • Easy Address Book Web Server, version 1.6.
  • Easy Chat Server, versions 3.1 and prior.
Description

INCIBE has coordinated the publication of 7 vulnerabilities in Easy Address Book Web Server and Easy Chat Server de EFS Software, an enterprise management software, which have been discovered by Rafael Pedrero.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector string and the CWE vulnerability type of each vulnerability:

  • CVE-2023-4491: CVSS v3.1: 9,8 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-119.
  • CVE-2023-4492: CVSS v3.1: 6,1 | CVSS: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79.
  • CVE-2023-4493: CVSS v3.1: 6,1 | CVSS: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79.
  • CVE-2023-4494: CVSS v3.1: 9,8 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-119.
  • CVE-2023-4495: CVSS v3.1: 6,1 | CVSS: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79.
  • CVE-2023-4496: CVSS v3.1: 6,1 | CVSS: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79.
  • CVE-2023-4497: CVSS v3.1: 6,1 | CVSS: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79.
Solution

No solution has been identified at this stage.

Detail

Vulnerabilities affecting Easy Address Book Web Server, version 1.6:

  • CVE-2023-4491: buffer overflow vulnerability, which could allow an attacker to send a very long username string to /searchbook.ghp, asking for the name via a POST request, resulting in arbitrary code execution on the remote machine.
  • CVE-2023-4492: vulnerability affecting the parameters (firstname, homephone, lastname, middlename, workaddress, workcity, workcountry, workphone, workstate and workzip) of the /addrbook.ghp file, allowing an attacker to inject a JavaScript payload specially designed to run when the application is loaded.
  • CVE-2023-4493: Stored Cross-Site Scripting through the users_admin.ghp file that affects multiple parameters such as (firstname, homephone, lastname, lastname, middlename, workaddress, workcity, workcountry, workphone, workstate, workzip). This vulnerability allows a remote attacker to store a malicious JavaScript payload in the application to be executed when the page is loaded, resulting in an integrity impact.

Vulnerabilities affecting Easy Chat Server, versions 3.1 and earlier:

  • CVE-2023-4494: stack-based buffer overflow. An attacker could send an excessively long username string to the register.ghp file asking for the name via a GET request resulting in arbitrary code execution on the remote machine.
  • CVE-2023-4495: the affected software does not sufficiently encrypt user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability stored via /registresult.htm (POST method), in the Resume parameter. The XSS is loaded from /register.ghp.
  • CVE-2023-4496: the affected software does not sufficiently encrypt user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability stored via the /body2.ghp (POST method), in the mtowho parameter.
  • CVE-2023-4497: the affected software does not sufficiently encrypt user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability stored via /registresult.htm (POST method), in the Icon parameter. The XSS is loaded from /users.ghp.
Etiquetas