CVE-2023-34203 - OpenCVE

In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explorer) before 12.7, a remote user (who has any OEM or OEE role) could perform a URL injection attack to change identity or role membership, e.g., escalate to admin. This affects OpenEdge LTS before 11.7.16, 12.x before 12.2.12, and 12.3.x through 12.6.x before 12.7.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Progress	Openedge Openedge Management Openedge Explorer

Configuration 1 [-]

OR	cpe:2.3:a:progress:openedge:::::lts:::*
	cpe:2.3:a:progress:openedge:::::lts:::*
	cpe:2.3:a:progress:openedge:::::lts:::*
	cpe:2.3:a:progress:openedge_explorer::::::::
	cpe:2.3:a:progress:openedge_management::::::::

References

Link	Resource
https://www.progress.com/openedge	Product

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-06-23T00:00:00

Updated: 2023-06-23T00:00:00

Reserved: 2023-05-30T00:00:00

Link: CVE-2023-34203

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-06-23T20:15:09.103

Modified: 2023-07-05T13:29:17.093

Link: CVE-2023-34203

JSON object: View

Redhat Information

No data.

CWE

CWE-74

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*", "matchCriteriaId": "4F02D029-AF83-440A-8A8C-C6DB853A13F6", "versionEndExcluding": "11.7.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*", "matchCriteriaId": "A58060B0-9B48-470B-8766-967583071933", "versionEndExcluding": "12.2.12", "versionStartIncluding": "12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:openedge:*:*:*:*:lts:*:*:*", "matchCriteriaId": "18CC54ED-4D25-4D66-8565-96AFDB8B4A8C", "versionEndExcluding": "12.7", "versionStartIncluding": "12.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:openedge_explorer:*:*:*:*:*:*:*:*", "matchCriteriaId": "156C92E9-00BE-419F-971E-C475EF6ED8C9", "versionEndExcluding": "12.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:progress:openedge_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "10CFA60E-7888-4C90-9536-B94B771F2079", "versionEndExcluding": "12.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explorer) before 12.7, a remote user (who has any OEM or OEE role) could perform a URL injection attack to change identity or role membership, e.g., escalate to admin. This affects OpenEdge LTS before 11.7.16, 12.x before 12.2.12, and 12.3.x through 12.6.x before 12.7."}], "id": "CVE-2023-34203", "lastModified": "2023-07-05T13:29:17.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-23T20:15:09.103", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.progress.com/openedge"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}