Executive Summary

Informations
Name CVE-2023-48226 First vendor Publication 2023-11-21
Vendor Cve Last vendor Modification 2023-11-29

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Overall CVSS Score 3.5
Base Score 3.5 Environmental Score 3.5
impact SubScore 1.4 Temporal Score 3.5
Exploitabality Sub Score 2.1
 
Attack Vector Network Attack Complexity Low
Privileges Required Low User Interaction Required
Scope Unchanged Confidentiality Impact None
Integrity Impact Low Availability Impact None
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

OpenReplay is a self-hosted session replay suite. In version 1.14.0, due to lack of validation Name field - Account Settings (for registration looks like validation is correct), a bad actor can send emails with HTML injected code to the victims. Bad actors can use this to phishing actions for example. Email is really send from OpenReplay, but bad actors can add there HTML code injected (content spoofing). Please notice that during Registration steps for FullName looks like is validated correct - can not type there, but using this kind of bypass/workaround - bad actors can achieve own goal. As of time of publication, no known fixes or workarounds are available.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48226

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-94 Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Sources (Detail)

https://bugcrowd.com/vulnerability-rating-taxonomy
https://capec.mitre.org/data/definitions/242.html
https://cwe.mitre.org/data/definitions/20.html
https://github.com/openreplay/openreplay/blob/main/api/chalicelib/utils/html/...
https://github.com/openreplay/openreplay/security/advisories/GHSA-xpfv-454c-3fj4
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2023-11-29 09:27:27
  • Multiple Updates
2023-11-22 00:27:23
  • First insertion