CVE-2023-6381

Improper input validation vulnerability in Newsletter Software SuperMailer affecting version 11.20.0.2204. An attacker could exploit this vulnerability by sending a malicious configuration file (file with SMB extension) to a user via a link or email attachment and persuade the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to crash the application when attempting to load the malicious file.

CVSS v3 3.3 LOW

3.3^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://www.incibe.es/en/incibe-cert/notices/aviso/improper-input-validation-newsletter-software-supermailer	Third Party Advisory
https://www.incibe.es/en/incibe-cert/notices/aviso/improper-input-validation-newsletter-software-supermailer	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:supermailer:supermailer:11.20.0.2204:*:*:*:*:*:*:*

History

21 Nov 2024, 08:43

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~5.5~~	v2 : unknown v3 : 3.3
References	~~() https://www.incibe.es/en/incibe-cert/notices/aviso/improper-input-validation-newsletter-software-supermailer - Third Party Advisory~~	() https://www.incibe.es/en/incibe-cert/notices/aviso/improper-input-validation-newsletter-software-supermailer - Third Party Advisory

18 Dec 2023, 19:58

Type	Values Removed	Values Added
CWE	~~CWE-20~~	NVD-CWE-noinfo
CPE		cpe:2.3:a:supermailer:supermailer:11.20.0.2204:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
References	~~() https://www.incibe.es/en/incibe-cert/notices/aviso/improper-input-validation-newsletter-software-supermailer -~~	() https://www.incibe.es/en/incibe-cert/notices/aviso/improper-input-validation-newsletter-software-supermailer - Third Party Advisory

13 Dec 2023, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-13 11:15

Updated : 2024-11-21 08:43

NVD link : CVE-2023-6381

Mitre link : CVE-2023-6381

CVE.ORG link : CVE-2023-6381

JSON object : View

Products Affected

supermailer

supermailer

CWE

CWE-20

Improper Input Validation

NVD-CWE-noinfo

{"id": "CVE-2023-6381", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2023-12-13T11:15:07.830", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/improper-input-validation-newsletter-software-supermailer", "tags": ["Third Party Advisory"], "source": "cve-coordination@incibe.es"}, {"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/improper-input-validation-newsletter-software-supermailer", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@incibe.es", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Improper input validation vulnerability in Newsletter Software SuperMailer affecting version 11.20.0.2204. An attacker could exploit this vulnerability by sending a malicious configuration file (file with SMB extension) to a user via a link or email attachment and persuade the user to open the file with the affected software on the local system. A successful exploit could allow the attacker to crash the application when attempting to load the malicious file."}, {"lang": "es", "value": "Vulnerabilidad de validaci\u00f3n de entrada incorrecta en Newsletter Software SuperMailer que afecta a la versi\u00f3n 11.20.0.2204. Un atacante podr\u00eda aprovechar esta vulnerabilidad enviando un archivo de configuraci\u00f3n malicioso (archivo con extensi\u00f3n SMB) a un usuario a trav\u00e9s de un enlace o un archivo adjunto de correo electr\u00f3nico y persuadir al usuario para que abra el archivo con el software afectado en el sistema local. Un exploit exitoso podr\u00eda permitir al atacante bloquear la aplicaci\u00f3n al intentar cargar el archivo malicioso."}], "lastModified": "2024-11-21T08:43:44.960", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:supermailer:supermailer:11.20.0.2204:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "565674D3-43AB-45A0-BB60-375A6C7D7C04"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@incibe.es"}