Vulnerability Details : CVE-2023-42222
Public exploit exists!
WebCatalog before 49.0 is vulnerable to Incorrect Access Control. WebCatalog calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource, in some circumstances.
Products affected by CVE-2023-42222
- cpe:2.3:a:webcatalog:webcatalog:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-42222
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-42222
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
References for CVE-2023-42222
-
https://www.electronjs.org/docs/latest/tutorial/security#15-do-not-use-shellopenexternal-with-untrusted-content
Security | ElectronThird Party Advisory
-
https://github.com/itssixtyn3in/CVE-2023-42222
GitHub - itssixtyn3in/CVE-2023-42222Exploit;Third Party Advisory
-
http://packetstormsecurity.com/files/176957/WebCatalog-48.4-Arbitrary-Protocol-Execution-Code-Execution.html
WebCatalog 48.4 Arbitrary Protocol Execution / Code Execution ≈ Packet Storm
-
https://webcatalog.io/changelog/
404: Not Found - WebCatalogRelease Notes
Jump to