An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for a remote attacker to communicate with the private API endpoints exposed at /login, /consoleSettings, /console, etc. despite Virtual Host Routing being used to block this access. Remote attackers can interact with private pages on the web server, enabling them to perform privileged actions such as logging into the console and changing console settings if they have valid credentials.
References
| Link | Resource |
|---|---|
| https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnerabilities-in-faronics-insight/ | Exploit Mitigation Release Notes Third Party Advisory |
| https://research.nccgroup.com/?research=Technical%20advisories | Third Party Advisory |
Configurations
Configuration 1 (hide)
| AND |
|
History
06 Jun 2023, 18:32
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Faronics
Microsoft windows Faronics insight Microsoft |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.3 |
| CPE | cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* cpe:2.3:a:faronics:insight:10.0.19045:*:*:*:*:*:*:* |
|
| References | (MISC) https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulnerabilities-in-faronics-insight/ - Exploit, Mitigation, Release Notes, Third Party Advisory | |
| References | (MISC) https://research.nccgroup.com/?research=Technical%20advisories - Third Party Advisory | |
| CWE | CWE-732 |
31 May 2023, 00:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-05-31 00:15
Updated : 2023-12-10 15:01
NVD link : CVE-2023-28346
Mitre link : CVE-2023-28346
CVE.ORG link : CVE-2023-28346
JSON object : View
Products Affected
microsoft
- windows
faronics
- insight
CWE
CWE-732
Incorrect Permission Assignment for Critical Resource