Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Relative path traversal in Setelsa Security ConacWin CB

Posted date 13/07/2023
Identificador

INCIBE-2023-0271

Importance
4 - High
Affected Resources

ConacWin CB, versions 3.8.2.2 and earlier.

Description

INCIBE has coordinated the publication of a vulnerability affecting Setelsa Security ConacWin CB, an access control platform, which has been discovered by Agustín Picazo (Black Giraffe).

The following code has been assigned to this vulnerability:

CVE-2023-3512:

  • CVSS v3.1 base score: 7.5.
  • CVSS vector string: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.
  • Vulnerability type: CWE-23: Relative Path Traversal.
Solution

Setelsa Security has released version 3.8.2.3, which resolves the reported vulnerability.

Detail

CVE-2023-3512: relative path traversal vulnerability in Setelsa Security's ConacWin CB, the exploitation of which could allow an attacker to perform an arbitrary download of files from the system via the "Download file" parameter.

References list
Product sheet - ConacWin CB
Etiquetas