#VU80500 External Control of File Name or Path in OAS Platform - CVE-2023-32615

Cybersecurity Help s.r.o.

Published: 2023-09-06

Vulnerability identifier: #VU80500

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-32615

CWE-ID: CWE-73

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OAS Platform
Client/Desktop applications / Other client software

Vendor: Open Automation Software

Description

The vulnerability allows a remote attacker to create arbitrary files.

The vulnerability exists due to application allows an attacker to control path of the files to delete within the OAS Engine configuration functionality. A remote user can send a specially crafted HTTP request and create or overwrite arbitrary files on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OAS Platform: 18.00.0072

External links
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1771
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1771

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Open Automation Software OAS Platform