CVE-2023-49213

The API endpoints in Ironman PowerShell Universal 3.0.0 through 4.2.0 allow remote attackers to execute arbitrary commands via crafted HTTP requests if a param block is used, due to invalid sanitization of input strings. The fixed versions are 3.10.2, 4.1.10, and 4.2.1.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:ironmansoftware:powershell_universal:*:*:*:*:*:*:*:*
cpe:2.3:a:ironmansoftware:powershell_universal:*:*:*:*:*:*:*:*
cpe:2.3:a:ironmansoftware:powershell_universal:4.2.0:*:*:*:*:*:*:*

History

21 Nov 2024, 08:33

Type Values Removed Values Added
References () https://blog.ironmansoftware.com/powershell-universal-apis-cve/ - Exploit, Mitigation, Vendor Advisory () https://blog.ironmansoftware.com/powershell-universal-apis-cve/ - Exploit, Mitigation, Vendor Advisory
References () https://docs.powershelluniversal.com/changelogs/changelog - Release Notes () https://docs.powershelluniversal.com/changelogs/changelog - Release Notes

30 Nov 2023, 05:38

Type Values Removed Values Added
CWE CWE-77
References () https://docs.powershelluniversal.com/changelogs/changelog - () https://docs.powershelluniversal.com/changelogs/changelog - Release Notes
References () https://blog.ironmansoftware.com/powershell-universal-apis-cve/ - () https://blog.ironmansoftware.com/powershell-universal-apis-cve/ - Exploit, Mitigation, Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
CPE cpe:2.3:a:ironmansoftware:powershell_universal:4.2.0:*:*:*:*:*:*:*
cpe:2.3:a:ironmansoftware:powershell_universal:*:*:*:*:*:*:*:*

24 Nov 2023, 15:24

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-23 22:15

Updated : 2024-11-21 08:33


NVD link : CVE-2023-49213

Mitre link : CVE-2023-49213

CVE.ORG link : CVE-2023-49213


JSON object : View

Products Affected

ironmansoftware

  • powershell_universal
CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')