CVE-2023-3196: Multiple Vulnerabilities Canopsis Capensis | INCIBE-CERT

Affected Resources

Canopsis, version 23.04-alpha3.

Description

INCIBE has coordinated the publication of 2 vulnerabilities in Canopsis, an open source hypervisor solution belonging to Capensis, which have been discovered by Pedro José Navas Pérez of Hispasec.

These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector string and the CWE vulnerability type of each vulnerability:

• CVE-2023-3196: CVSS v3.1: 4,7 | CVSS: AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L | CWE-79.
• CVE-2023-4564: CVSS v3.1: 4,7 | CVSS: AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L | CWE-79.

Solution

No solution has been identified at this stage.

Detail

• CVE-2023-3196: an XSS vulnerability stored in Canopsis has been found affecting version 23.04-alpha3. This vulnerability could allow an attacker to store a malicious JavaScript payload in the login footer and login page description parameters within the administration panel.
• CVE-2023-4564: an XSS vulnerability stored in Canopsis has been detected affecting version 23.04-alpha3. This vulnerability could allow an attacker to store a malicious JavaScript payload in the broadcast message parameter within the admin panel.