CVE-2023-45152 LOW

CVE-2023-45152: Blind Server Side Request Forgery (SSRF) in remote schedule import feature in Engelsystem

Vendor Engelsystem
Product engelsystem
Weakness CWE-918 · SSRF
Published October 16, 2023
Last update September 13, 2024

CVSS base score

2.0/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Engelsystem is a shift planning system for chaos events. A Blind SSRF in the "Import schedule" functionality makes it possible to perform a port scan against the local environment. This vulnerability has been fixed in commit ee7d30b33. If a patch cannot be deployed, operators should ensure that no HTTP(s) services listen on localhost and/or systems only reachable from the host running the engelsystem software. If such services are necessary, they should utilize additional authentication.

Key dates

02Disclosure timeline

October 16, 2023 CVE published
September 13, 2024 Record updated