CVE-2023-6352 MEDIUM

CVE-2023-6352: Aquaforest TIFF Server default configuration allows access to arbitrary files

Vendor Aquaforest
Product TIFF Server
Weakness CWE-22 · Path traversal
Published November 30, 2023
Last update August 2, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The default configuration of Aquaforest TIFF Server allows access to arbitrary file paths, subject to any restrictions imposed by Internet Information Services (IIS) or Microsoft Windows. Depending on how a web application uses and configures TIFF Server, a remote attacker may be able to enumerate files or directories, traverse directories, bypass authentication, or access restricted files.

Key dates

02Disclosure timeline

November 30, 2023 CVE published
August 2, 2024 Record updated