Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: CRITICAL OPENSUPPORTS VULNERABILITY ALLOWS ARBITRARY CODE EXECUTION AND REVERSE SHELL, NO PATCH AVAILABLE!
Image
Published : 29/11/2023
Reference:
Advisory #2023-143
Version:
1.0
Affected software:
OpenSupports v4.11.0
Type:
Improper File Type Validation
CVE/CVSS:
CVE-2023-48031CVSS 3.1: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Risks
A proof of concept exploit exists for a critical vulnerability (CVE-2023-48031) in OpenSupports v4.11.0, allowing an attacker to bypass security restrictions by uploading a crafted file with a modified file signature (magic bytes) to pass as an acceptable file type. A succesful attack could enable the adversary to execute arbitrary code or establish a reverse shell.
Compromise could have high impact on confidentiality, integrity and availability.
OpenSupports is a free open source ticket system available on the official OpenSupports GitHub. The repository doesn't offer a remediation for CVE-2023-48031. Version v4.11.0 dates back to January 2022 and hasn't been updated since.
Description
CVE-2023-48031 allows an attacker to execute arbitrary code or establish a reverse shell leading to possible control over a victim's infrastructure.
Recommended Actions
The Centre for Cyber Security Belgium (CCB) strongly recommends to install alternative software or find mitigation alternatives.