cvelist/2023/46xxx/CVE-2023-46595.json

{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2023-46595",
        "ASSIGNER": "security.vulnerabilities@algosec.com",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "Net-NTLM leak via stored HTML injection in FireFlow's VisualFlow workflow editor using Name and Description field. It also impacts\u00a0\n\nFireFlow's VisualFlow workflow editor\n\n outbound actions using Name and Category parameter. Fixed in version A32.20 (b570 and above),\u00a0\n\nA32.50 (b400 and above),\u00a0\n\nA32.60 (b220 and above)\n\n"
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
                        "cweId": "CWE-79"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Algosec",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Algosec FireFlow",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "=",
                                            "version_value": "A32.20, A32.50, A32.60"
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://www.algosec.com/docs/en/cves/Content/tech-notes/cves/cve-2023-46595.htm",
                "refsource": "MISC",
                "name": "https://www.algosec.com/docs/en/cves/Content/tech-notes/cves/cve-2023-46595.htm"
            }
        ]
    },
    "generator": {
        "engine": "Vulnogram 0.1.0-dev"
    },
    "source": {
        "discovery": "EXTERNAL"
    },
    "solution": [
        {
            "lang": "en",
            "supportingMedia": [
                {
                    "base64": false,
                    "type": "text/html",
                    "value": "Upgrade ASMS suite to&nbsp;A32.20 (b570 or above),&nbsp;\n\nA32.50 (b400 and above), \n\nA32.60 (b220 and above)\n\n<br><a target=\"_blank\" rel=\"nofollow\" href=\"https://portal.algosec.com/en/downloads/hotfix_releases\">https://portal.algosec.com/en/downloads/hotfix_releases</a><br>"
                }
            ],
            "value": "Upgrade ASMS suite to\u00a0A32.20 (b570 or above),\u00a0\n\nA32.50 (b400 and above), \n\nA32.60 (b220 and above)\n\n\n https://portal.algosec.com/en/downloads/hotfix_releases https://portal.algosec.com/en/downloads/hotfix_releases \n"
        }
    ],
    "credits": [
        {
            "lang": "en",
            "value": "Micha\u0142 Bogdanowicz from Nordea Bank ABP (https://www.linkedin.com/in/micha%C5%82-bogdanowicz-603267a8/)"
        }
    ],
    "impact": {
        "cvss": [
            {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L",
                "version": "3.1"
            }
        ]
    }
}
"-Synchronized-Data." 2023-10-23 11:00:31 +00:00			`{`
"-Synchronized-Data." 2023-11-02 08:00:35 +00:00			`"data_version": "4.0",`
"-Synchronized-Data." 2023-10-23 11:00:31 +00:00			`"data_type": "CVE",`
			`"data_format": "MITRE",`
			`"CVE_data_meta": {`
			`"ID": "CVE-2023-46595",`
"-Synchronized-Data." 2023-11-02 08:00:35 +00:00			`"ASSIGNER": "security.vulnerabilities@algosec.com",`
			`"STATE": "PUBLIC"`
"-Synchronized-Data." 2023-10-23 11:00:31 +00:00			`},`
			`"description": {`
			`"description_data": [`
			`{`
			`"lang": "eng",`
"-Synchronized-Data." 2023-11-22 10:00:38 +00:00			`"value": "Net-NTLM leak via stored HTML injection in FireFlow's VisualFlow workflow editor using Name and Description field. It also impacts\u00a0\n\nFireFlow's VisualFlow workflow editor\n\n outbound actions using Name and Category parameter. Fixed in version A32.20 (b570 and above),\u00a0\n\nA32.50 (b400 and above),\u00a0\n\nA32.60 (b220 and above)\n\n"`
"-Synchronized-Data." 2023-11-02 08:00:35 +00:00			`}`
			`]`
			`},`
			`"problemtype": {`
			`"problemtype_data": [`
			`{`
			`"description": [`
			`{`
			`"lang": "eng",`
			`"value": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",`
			`"cweId": "CWE-79"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"affects": {`
			`"vendor": {`
			`"vendor_data": [`
			`{`
			`"vendor_name": "Algosec",`
			`"product": {`
			`"product_data": [`
			`{`
			`"product_name": "Algosec FireFlow",`
			`"version": {`
			`"version_data": [`
			`{`
			`"version_affected": "=",`
"-Synchronized-Data." 2023-11-22 10:00:38 +00:00			`"version_value": "A32.20, A32.50, A32.60"`
"-Synchronized-Data." 2023-11-02 08:00:35 +00:00			`}`
			`]`
			`}`
			`}`
			`]`
			`}`
			`}`
			`]`
			`}`
			`},`
			`"references": {`
			`"reference_data": [`
			`{`
"-Synchronized-Data." 2023-11-28 16:26:31 +00:00			`"url": "https://www.algosec.com/docs/en/cves/Content/tech-notes/cves/cve-2023-46595.htm",`
"-Synchronized-Data." 2023-11-02 08:00:35 +00:00			`"refsource": "MISC",`
"-Synchronized-Data." 2023-11-28 16:26:31 +00:00			`"name": "https://www.algosec.com/docs/en/cves/Content/tech-notes/cves/cve-2023-46595.htm"`
"-Synchronized-Data." 2023-11-02 08:00:35 +00:00			`}`
			`]`
			`},`
			`"generator": {`
			`"engine": "Vulnogram 0.1.0-dev"`
			`},`
			`"source": {`
			`"discovery": "EXTERNAL"`
			`},`
			`"solution": [`
			`{`
			`"lang": "en",`
			`"supportingMedia": [`
			`{`
			`"base64": false,`
			`"type": "text/html",`
"-Synchronized-Data." 2023-11-22 10:00:38 +00:00			`"value": "Upgrade ASMS suite to A32.20 (b570 or above), \n\nA32.50 (b400 and above), \n\nA32.60 (b220 and above)\n\n<br><a target=\"_blank\" rel=\"nofollow\" href=\"https://portal.algosec.com/en/downloads/hotfix_releases\">https://portal.algosec.com/en/downloads/hotfix_releases</a><br>"`
"-Synchronized-Data." 2023-11-02 08:00:35 +00:00			`}`
			`],`
"-Synchronized-Data." 2023-11-22 10:00:38 +00:00			`"value": "Upgrade ASMS suite to\u00a0A32.20 (b570 or above),\u00a0\n\nA32.50 (b400 and above), \n\nA32.60 (b220 and above)\n\n\n https://portal.algosec.com/en/downloads/hotfix_releases https://portal.algosec.com/en/downloads/hotfix_releases \n"`
"-Synchronized-Data." 2023-11-02 08:00:35 +00:00			`}`
			`],`
			`"credits": [`
			`{`
			`"lang": "en",`
			`"value": "Micha\u0142 Bogdanowicz from Nordea Bank ABP (https://www.linkedin.com/in/micha%C5%82-bogdanowicz-603267a8/)"`
			`}`
			`],`
			`"impact": {`
			`"cvss": [`
			`{`
			`"attackComplexity": "HIGH",`
			`"attackVector": "ADJACENT_NETWORK",`
			`"availabilityImpact": "LOW",`
			`"baseScore": 5.9,`
			`"baseSeverity": "MEDIUM",`
			`"confidentialityImpact": "HIGH",`
			`"integrityImpact": "HIGH",`
			`"privilegesRequired": "HIGH",`
			`"scope": "UNCHANGED",`
			`"userInteraction": "REQUIRED",`
			`"vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L",`
			`"version": "3.1"`
"-Synchronized-Data." 2023-10-23 11:00:31 +00:00			`}`
			`]`
			`}`
			`}`