Multiple vulnerabilities in Accusoft ImageGear
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 8 |
| CVE-ID | CVE-2023-32653 CVE-2023-40163 CVE-2023-35002 CVE-2023-28393 CVE-2023-32614 CVE-2023-23567 CVE-2023-32284 CVE-2023-39453 |
| CWE-ID | CWE-787 CWE-122 CWE-121 CWE-416 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ImageGear Web applications / Modules and components for CMS |
| Vendor | Accusoft Corporation |
Security Bulletin
This security bulletin contains information about 8 vulnerabilities.
1) Out-of-bounds write
EUVDB-ID: #VU81108
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-32653
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in the dcm_pixel_data_decode functionality. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsImageGear: 20.1
Fixed software versionsCPE2.3 External links
http://talosintelligence.com/vulnerability_reports/TALOS-2023-1802
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
2) Out-of-bounds write
EUVDB-ID: #VU81115
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-40163
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in the allocate_buffer_for_jpeg_decoding functionality. A remote attacker can use a specially crafted file, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsImageGear: 20.1
Fixed software versionsCPE2.3 External links
http://talosintelligence.com/vulnerability_reports/TALOS-2023-1836
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
3) Heap-based buffer overflow
EUVDB-ID: #VU81114
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-35002
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the pictwread functionality. A remote attacker can use a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsImageGear: 20.1
Fixed software versionsCPE2.3 External links
http://talosintelligence.com/vulnerability_reports/TALOS-2023-1760
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
4) Stack-based buffer overflow
EUVDB-ID: #VU81113
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-28393
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the tif_processing_dng_channel_count functionality. A remote unauthenticated attacker can use a specially crafted file, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsImageGear: 20.1
Fixed software versionsCPE2.3 External links
http://talosintelligence.com/vulnerability_reports/TALOS-2023-1742
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
5) Heap-based buffer overflow
EUVDB-ID: #VU81112
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-32614
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the create_png_object functionality. A remote attacker can use a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsImageGear: 20.1
Fixed software versionsCPE2.3 External links
http://talosintelligence.com/vulnerability_reports/TALOS-2023-1749
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
6) Heap-based buffer overflow
EUVDB-ID: #VU81111
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-23567
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the CreateDIBfromPict functionality. A remote attacker can use a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsImageGear: 20.1
Fixed software versionsCPE2.3 External links
http://talosintelligence.com/vulnerability_reports/TALOS-2023-1729
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
7) Out-of-bounds write
EUVDB-ID: #VU81110
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-32284
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in the tiff_planar_adobe functionality. A remote attacker can use a specially crafted file, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsImageGear: 20.1
Fixed software versionsCPE2.3 External links
http://talosintelligence.com/vulnerability_reports/TALOS-2023-1750
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
8) Use-after-free
EUVDB-ID: #VU81109
Risk: High
CVSSv3.1:
CVE-ID: CVE-2023-39453
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in the tif_parse_sub_IFD functionality. A remote attacker can use a specially crafted file and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsImageGear: 20.1
Fixed software versionsCPE2.3 External links
http://talosintelligence.com/vulnerability_reports/TALOS-2023-1830
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
