CVE-2023-45727

Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://jvn.jp/en/jp/JVN95981460/	Third Party Advisory
https://www.proself.jp/information/153/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:northgrid:proself:::::mail_sanitize:::*
	cpe:2.3:a:northgrid:proself:::::gateway:::*
	cpe:2.3:a:northgrid:proself:::::enterprise:::*
	cpe:2.3:a:northgrid:proself:::::standard:::*

History

25 Oct 2023, 17:31

Type	Values Removed	Values Added
First Time		Northgrid proself Northgrid
References	~~(MISC) https://www.proself.jp/information/153/ -~~	(MISC) https://www.proself.jp/information/153/ - Vendor Advisory
References	~~(MISC) https://jvn.jp/en/jp/JVN95981460/ -~~	(MISC) https://jvn.jp/en/jp/JVN95981460/ - Third Party Advisory
CPE		cpe:2.3:a:northgrid:proself:::::mail_sanitize:::* cpe:2.3:a:northgrid:proself:::::standard:::* cpe:2.3:a:northgrid:proself:::::enterprise:::* cpe:2.3:a:northgrid:proself:::::gateway:::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CWE		CWE-611

18 Oct 2023, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-18 10:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-45727

Mitre link : CVE-2023-45727

CVE.ORG link : CVE-2023-45727

JSON object : View

Products Affected

northgrid

proself

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2023-45727", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-10-18T10:15:08.643", "references": [{"url": "https://jvn.jp/en/jp/JVN95981460/", "tags": ["Third Party Advisory"], "source": "vultures@jpcert.or.jp"}, {"url": "https://www.proself.jp/information/153/", "tags": ["Vendor Advisory"], "source": "vultures@jpcert.or.jp"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks. By processing a specially crafted request containing malformed XML data, arbitrary files on the server containing account information may be read by the attacker."}, {"lang": "es", "value": "Proself Enterprise/Standard Edition Ver5.62 y anteriores, Proself Gateway Edition Ver1.65 y anteriores, y Proself Mail Sanitize Edition Ver1.08 y anteriores permiten a un atacante remoto no autenticado realizar ataques de entidad externa XML (XXE). Al procesar una solicitud especialmente manipulada que contiene datos XML con formato incorrecto, el atacante puede leer archivos arbitrarios en el servidor que contienen informaci\u00f3n de la cuenta."}], "lastModified": "2023-10-25T17:31:59.553", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:northgrid:proself:*:*:*:*:mail_sanitize:*:*:*", "vulnerable": true, "matchCriteriaId": "6D6F51B5-6B83-41C4-A1F6-9D10CB601DB5", "versionEndExcluding": "1.09"}, {"criteria": "cpe:2.3:a:northgrid:proself:*:*:*:*:gateway:*:*:*", "vulnerable": true, "matchCriteriaId": "F1BB1954-50C1-40A8-9F47-415ECBB6259F", "versionEndExcluding": "1.66"}, {"criteria": "cpe:2.3:a:northgrid:proself:*:*:*:*:enterprise:*:*:*", "vulnerable": true, "matchCriteriaId": "66942ECC-2DB7-4B63-9364-FC7D71722355", "versionEndExcluding": "5.63"}, {"criteria": "cpe:2.3:a:northgrid:proself:*:*:*:*:standard:*:*:*", "vulnerable": true, "matchCriteriaId": "1ED1659B-802E-4F0F-9CF3-BD1BBED1A27F", "versionEndExcluding": "5.63"}], "operator": "OR"}]}], "sourceIdentifier": "vultures@jpcert.or.jp"}