Inefficient regular expression complexity in Mailform Pro CGI - CVE-2023-40599

 

Inefficient regular expression complexity in Mailform Pro CGI - CVE-2023-40599

Published: August 25, 2023


Vulnerability identifier: #VU80013
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-40599
CWE-ID: CWE-1333
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: SYNCK GRAPHICA
Affected software:
Mailform Pro CGI

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

This vulnerability affects the product when the following functions are enabled:

  • call/call.js
  • prefcodeadv/search.cgi
  • estimate/estimate.js
  • search/search.js
  • suggest/suggest.js
  • coupon/coupon.js

How to mitigate CVE-2023-40599

Install update from vendor's website.

Sources