CVE-2023-29492

CVSS 9.8 CRITICALEPSS 2.7%● KEVCWE-94

Vexday Risk Score

58Attention

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 9.8EPSS 2.7%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

11 Apr 2023Published on NVD

13 Apr 2023Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

Novi Survey versions before 8.9.43676 allow attackers to run malicious code on the server without needing special access. This compromises the server itself, though survey data remains protected.

Technical detail

Remote code execution vulnerability in Novi Survey < 8.9.43676 exploitable without authentication, executing arbitrary commands in the service account context. The vulnerability stems from insufficient input validation (CWE-94: Improper Control of Generation of Code), allowing unauthenticated attackers to achieve full server compromise, though the vulnerability does not extend to unauthorized access of survey responses or stored data.

Summary generated and translated by AI from the official description.

Novi Survey before 8.9.43676 allows remote attackers to execute arbitrary code on the server in the context of the service account. This does not provide access to stored survey or response data.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://novisurvey.net/blog/novi-survey-security-advisory-apr-2023.aspx https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-29492