[Update 01/10/2024] Multiple vulnerabilities in Canopsis of Capensis
Posted date 29/08/2023
Identificador
INCIBE-2023-0358
Importance
3 - Medium
Affected Resources
Canopsis, version 23.04-alpha3.
Description
INCIBE has coordinated the publication of 2 vulnerabilities in Canopsis, an open source hypervisor solution belonging to Capensis, which have been discovered by Pedro José Navas Pérez of Hispasec.
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector string and the CWE vulnerability type of each vulnerability:
- CVE-2023-3196: CVSS v3.1: 4,7 | CVSS: AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L | CWE-79.
- CVE-2023-4564: CVSS v3.1: 4,7 | CVSS: AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L | CWE-79.
Solution
[Update 01/10/2024]
Canopsis version 23.10.0 includes fixes for the reported vulnerabilities, and was released on 31 October 2023.
Detail
- CVE-2023-3196: an XSS vulnerability stored in Canopsis has been found affecting version 23.04-alpha3. This vulnerability could allow an attacker to store a malicious JavaScript payload in the login footer and login page description parameters within the administration panel.
- CVE-2023-4564: an XSS vulnerability stored in Canopsis has been detected affecting version 23.04-alpha3. This vulnerability could allow an attacker to store a malicious JavaScript payload in the broadcast message parameter within the admin panel.
References list
