CVE-2023-26453
moderate-risk
Published 2023-11-02
Requests to cache an image could be abused to include SQL queries that would be executed unchecked. Exploiting this vulnerability requires at least access to adjacent networks of the imageconverter service, which is not exposed to public networks by default. Arbitrary SQL statements could be executed in the context of the services database user account. API requests are now properly checked for valid content and attempts to circumvent this check are being logged as error. No publicly available exploits are known.
Do I need to act?
-
0.06% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.6/10
High
PHYSICAL
/ LOW complexity
Affected Products (20)
Affected Vendors
References (4)
49
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
0/34 · Minimal
Exposure
25/34 · High