Multiple vulnerabilities in NXLog Manager

Posted date 31/05/2023
Identificador

INCIBE-2023-0199

Importance
3 - Medium
Affected Resources

NXLog Manager, 5.6.5633 version.

Description

INCIBE has coordinated the publication of 3 vulnerabilities in NXLog Manager, an agent management and monitoring console, which has been discovered by Juampa Rodríguez.

These vulnerabilities have been assigned the following codes:

  • CVE-2023-32790:
    • CVSS v3.1 base score: 4,6.
    • CVSS vector string: AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L.
    • Vulnerability type: CWE-79: improper neutralization of input during web page generation ('Cross-site Scripting').
  • CVE-2023-32791:
    • CVSS v3.1 base score: 6,5.
    • CVSS vector string:AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N.
    • Vulnerability type: CWE-352: Cross-Site Request Forgery (CSRF).
  • CVE-2023-32792:
    • CVSS v3.1 base score: 6,5.
    • CVSS vector string: AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N.
    • Vulnerability type: CWE-352: Cross-Site Request Forgery (CSRF).
Solution

No solution has been identified at this time.

Detail
  • CVE-2023-32790: Cross-Site Scripting (XSS) vulnerability in NXLog Manager. This vulnerability allows an attacker to inject a malicious JavaScript payload into the 'Full Name' field during a user edit, due to improper sanitization of the input parameter.
  • CVE-2023-32791: Cross-Site Request Forgery (CSRF) vulnerability in NXLog Manager. This vulnerability allows an attacker to manipulate and delete user accounts within the platform by sending a specifically crafted query to the server. The vulnerability is based on the lack of proper validation of the origin of incoming requests.
  • CVE-2023-32792: Cross-Site Request Forgery (CSRF) vulnerability in NXLog Manager. This vulnerability allows an attacker to eliminate roles within the platform by sending a specifically crafted query to the server. The vulnerability is based on the absence of proper validation of the origin of incoming requests.
References list
Etiquetas