Headline
CVE-2023-41357: 叡揚資訊 Vitals ESP - Arbitrary File Upload
Galaxy Software Services Corporation Vitals ESP is an online knowledge base management portal, it has insufficient filtering and validation during file upload. An authenticated remote attacker with general user privilege can exploit this vulnerability to upload and execute scripts onto arbitrary directories to perform arbitrary system operations or disrupt service.
:::
- 首頁
- 資安服務
- 台灣漏洞揭露平台 (TVN)
- TVN (Taiwan Vulnerability Note) 漏洞公告
TVN ID
TVN-202311014
CVE ID
CVE-2023-41357
CVSS
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
影響產品
Vitals ESP: 6.1 and prior
問題描述
叡揚資訊Vitals ESP的特定參數為未進行妥善驗證,遠端攻擊者以使用者權限登入後,可利用此漏洞繞過檔案檢查機制,將腳本上傳至任意系統目錄後執行,藉以操作系統或中斷服務。
解決方法
請聯繫叡揚資訊,以完成升級或修復事宜。
漏洞通報者
Cyku Hong(DEVCORE)
公開日期
2023-11-03