Multiple vulnerabilities in Flexense VX Search Enterprise
VX Search Enterprise, 10.2.14 version.
INCIBE has coordinated the publication of 4 high severity vulnerabilities, affecting Flexense VX Search Enterprise, version 10.2.14, a rule-based file search server, which have been discovered by Rafael Pedrero.
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability:
- CVE-2023-49572 to CVE-2023-49575: 7.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L | CWE-79
There is no reported solution at this time.
4 vulnerabilities have been discovered in VX Search Enterprise affecting version 10.2.14 that could allow an attacker to execute persistent XSS. These vulnerabilities could allow an attacker to store malicious JavaScript payloads on the system to be triggered when the page loads. The assigned CVE mapping is as follows:
- CVE-2023-49572: /setup_odbc in odbc_data_source, odbc_user and odbc_password parameters.
- CVE-2023-49573: /add_command_action in action_value.
- CVE-2023-49574: /add_job in job_name.
- CVE-2023-49575: /setup_smtp in smtp_server, smtp_user, smtp_password and smtp_email_address parameters.
