External Control of File Name or Path in R-SeeNet

#VU77656 External Control of File Name or Path in R-SeeNet

Published: 2023-06-23 | Updated: 2023-08-22

Vulnerability identifier: #VU77656

Vulnerability risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-3256

CWE-ID: CWE-73

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
R-SeeNet
Server applications / Other server solutions

Vendor: Advantech Co., Ltd

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to application allows an attacker to control path of the files. A remote user can send a specially crafted HTTP request to access and load the content of local files.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

R-SeeNet: 2.4.22

External links
http://www.cisa.gov/news-events/ics-advisories/icsa-23-173-02
http://www.zerodayinitiative.com/advisories/ZDI-23-1157/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Advantech R-SeeNet