CVE-2023-26046 MEDIUM

CVE-2023-26046: teler-waf subject to bypass of common web attack threat rule with HTML entities payload

Vendor Kitabisa

Product teler-waf

Weakness CWE-80 · XSS · basic

Published March 2, 2023

Last update March 5, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

teler-waf is a Go HTTP middleware that provides teler IDS functionality to protect against web-based attacks. In teler-waf prior to version 0.1.1 is vulnerable to bypassing common web attack rules when a specific HTML entities payload is used. This vulnerability allows an attacker to execute arbitrary JavaScript code on the victim's browser and compromise the security of the web application. The vulnerability exists due to teler-waf failure to properly sanitize and filter HTML entities in user input. An attacker can exploit this vulnerability to bypass common web attack threat rules in teler-waf and launch cross-site scripting (XSS) attacks. The attacker can execute arbitrary JavaScript code on the victim's browser and steal sensitive information, such as login credentials and session tokens, or take control of the victim's browser and perform malicious actions. This issue has been fixed in version 0.1.1.

Key dates

02Disclosure timeline

March 2, 2023 CVE published

March 5, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-26046 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/80.html

Related vulnerabilities

CVE-2023-26046: teler-waf subject to bypass of common web attack threat rule with HTML entities payload

01Description

02Disclosure timeline

03References

04Related CVE