ExploitCVE-2023-48699
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (CWE-95)
Published: Nov 21, 2023
010
CVSS 8.4EPSS 0.05%High
CVE info copied to clipboard
fastbots is a library for fast bot and scraper development using selenium and the Page Object Model (POM) design. Prior to version 0.1.5, an attacker could modify the locators.ini locator file with python code that without proper validation it's executed and it could lead to rce. The vulnerability is in the function `def __locator__(self, locator_name: str)` in `page.py`. In order to mitigate this issue, upgrade to fastbots version 0.1.5 or above.
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
First Article
Feedly found the first article mentioning CVE-2023-48699. See article
Nov 21, 2023 at 10:35 PM / GitHub Advisory Database
CVE Assignment
NVD published the first details for CVE-2023-48699
Nov 21, 2023 at 11:15 PM
EPSS
EPSS Score was set to: 0.05% (Percentile: 12.6%)
Nov 22, 2023 at 5:06 PM
Affected Systems
Ubertidavide/fastbots
+null more
Exploits
https://github.com/ubertidavide/fastbots/security/advisories/GHSA-vccg-f4gp-45x9
+null more
Patches
Github Advisory
+null more
Attack Patterns
CAPEC-35: Leverage Executable Code in Non-Executable Files
+null more
Vendor Advisory
[GHSA-vccg-f4gp-45x9] Eval Injection in fastbots
The vulnerable code that load and execute directly from the file without validation it's: return eval(self._bot.locator(self._page_name, locator_name)) The vulnerable code that load and execute directly from the file without validation it's: return eval(self._bot.locator(self._page_name, locator_name))
News
US-CERT Vulnerability Summary for the Week of November 20, 2023
admidio — admidio Admidio v4.2.12 and below is vulnerable to Cross Site Scripting (XSS). 2023-11-22 not yet calculated CVE-2023-47380 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An unauthenticated attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-26347 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-44350 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-44351 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
US-CERT Vulnerability Summary for the Week of November 20, 2023
admidio — admidio Admidio v4.2.12 and below is vulnerable to Cross Site Scripting (XSS). 2023-11-22 not yet calculated CVE-2023-47380 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An unauthenticated attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-26347 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-44350 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-44351 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
US-CERT Vulnerability Summary for the Week of November 20, 2023
admidio — admidio Admidio v4.2.12 and below is vulnerable to Cross Site Scripting (XSS). 2023-11-22 not yet calculated CVE-2023-47380 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An unauthenticated attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-26347 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-44350 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-44351 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
US-CERT Vulnerability Summary for the Week of November 20, 2023
admidio — admidio Admidio v4.2.12 and below is vulnerable to Cross Site Scripting (XSS). 2023-11-22 not yet calculated CVE-2023-47380 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An unauthenticated attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-26347 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-44350 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-44351 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
US-CERT Vulnerability Summary for the Week of November 20, 2023
admidio — admidio Admidio v4.2.12 and below is vulnerable to Cross Site Scripting (XSS). 2023-11-22 not yet calculated CVE-2023-47380 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An unauthenticated attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-26347 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-44350 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. 2023-11-17 not yet calculated CVE-2023-44351 adobe — coldfusion Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
See 10 more articles and social media posts