Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2023-36558 CVE-2023-36038 |
CWE-ID | CWE-254 CWE-20 |
Exploitation vector | Network |
Public exploit | Vulnerability #2 is being exploited in the wild. |
Vulnerable software |
Visual Studio Universal components / Libraries / Software for developers ASP.NET Core Universal components / Libraries / Software for developers .NET Other software / Other software solutions |
Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU83142
Risk: Low
CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-36558
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to security features bypass in ASP.NET Core. A local attacker can bypass validations on Blazor Server forms and gain access to sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 2022 version 17.2 - 2022 version 17.7
ASP.NET Core: 6.0 - 8.0
.NET: 6.0.0 - 8.0.0
CPE2.3http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-36558
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU83143
Risk: Medium
CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2023-36038
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in ASP.NET Core. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 2022 version 17.2 - 2022 version 17.7
ASP.NET Core: 8.0
.NET: 8.0.0
CPE2.3http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-36038
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.