CVE-2023-49575
moderate-risk
Published 2024-05-24
A vulnerability has been discovered in VX Search Enterprise affecting version 10.2.14, in Sync Breeze Enterprise Server 10.4.18 version, and in Disk Pulse Enterprise 10.4.18 version, that could allow an attacker to execute persistent XSS through /setup_smtp in smtp_server, smtp_user, smtp_password and smtp_email_address parameters. This vulnerability could allow an attacker to store malicious JavaScript payloads on the system to be triggered when the page loads.
Do I need to act?
-
0.11% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.1/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (2)
Third Party Advisory
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flex...
Third Party Advisory
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flex...
30
/ 100
moderate-risk
Severity
25/34 · High
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal