CVE-2023-45152

Blind Server Side Request Forgery (SSRF) in remote schedule import feature in Engelsystem

CVSS 2 LOWEPSS 0.3%CWE-918

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 2EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

16 Oct 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Engelsystem is a shift planning system for chaos events. A Blind SSRF in the "Import schedule" functionality makes it possible to perform a port scan against the local environment. This vulnerability has been fixed in commit ee7d30b33. If a patch cannot be deployed, operators should ensure that no HTTP(s) services listen on localhost and/or systems only reachable from the host running the engelsystem software. If such services are necessary, they should utilize additional authentication.

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

Affected products

engelsystem · engelsystem

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/engelsystem/engelsystem/commit/ee7d30b33935ea001705f438fec8ffd05734f295 https://github.com/engelsystem/engelsystem/security/advisories/GHSA-jj9g-75wf-6ppf