CVE-2023-6341 - OpenCVE

Catalis (previously Icon Software) CMS360 allows a remote, unauthenticated attacker to view sensitive court documents by modifying document and other identifiers in URLs. The impact varies based on the intention and configuration of a specific CMS360 installation.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Catalisgov	Cms360

Configuration 1 [-]

cpe:2.3:a:catalisgov:cms360:-:*:*:*:*:*:*:*

References

Link	Resource
https://catalisgov.com/courts-land-records-support/	Product
https://github.com/qwell/disorder-in-the-court/blob/main/README-Catalis.md	Third Party Advisory
https://techcrunch.com/2023/11/30/us-court-records-systems-vulnerabilities-exposed-sealed-documents/	Third Party Advisory
https://www.cisa.gov/news-events/alerts/2023/11/30/multiple-vulnerabilities-affecting-web-based-court-case-and-document-management-systems	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: cisa-cg

Published: 2023-11-30T17:41:22.671Z

Updated: 2023-11-30T20:50:27.195Z

Reserved: 2023-11-27T22:29:14.492Z

Link: CVE-2023-6341

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-11-30T18:15:08.180

Modified: 2023-12-08T15:22:34.380

Link: CVE-2023-6341

JSON object: View

Redhat Information

No data.

CWE

CWE-639

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-6341", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2023-11-27T22:29:14.492Z", "datePublished": "2023-11-30T17:41:22.671Z", "dateUpdated": "2023-11-30T20:50:27.195Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "CMS360", "vendor": "Catalis", "versions": [{"lessThan": "~2023-11-03", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2023-11-30T17:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Catalis (previously Icon Software) CMS360 allows a remote, unauthenticated attacker to view sensitive court documents by modifying document and other identifiers in URLs. The impact varies based on the intention and configuration of a specific CMS360 installation.<br>"}], "value": "Catalis (previously Icon Software) CMS360 allows a remote, unauthenticated attacker to view sensitive court documents by modifying document and other identifiers in URLs. The impact varies based on the intention and configuration of a specific CMS360 installation.\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2023-11-30T20:50:27.195Z"}, "references": [{"tags": ["product"], "url": "https://catalisgov.com/courts-land-records-support/"}, {"url": "https://github.com/qwell/disorder-in-the-court/blob/main/README-Catalis.md"}, {"tags": ["media-coverage"], "url": "https://techcrunch.com/2023/11/30/us-court-records-systems-vulnerabilities-exposed-sealed-documents/"}, {"tags": ["third-party-advisory", "government-resource"], "url": "https://www.cisa.gov/news-events/alerts/2023/11/30/multiple-vulnerabilities-affecting-web-based-court-case-and-document-management-systems"}], "source": {"discovery": "UNKNOWN"}, "title": "Catalis CM360 allows authentication bypass ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:catalisgov:cms360:-:*:*:*:*:*:*:*", "matchCriteriaId": "732F218C-BEBE-46CE-BB21-BD9B29266C8F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Catalis (previously Icon Software) CMS360 allows a remote, unauthenticated attacker to view sensitive court documents by modifying document and other identifiers in URLs. The impact varies based on the intention and configuration of a specific CMS360 installation.\n"}, {"lang": "es", "value": "Catalis (anteriormente Icon Software) CMS360 permite a un atacante remoto no autenticado ver documentos judiciales confidenciales modificando documentos y otros identificadores en las URL. El impacto var\u00eda seg\u00fan la intenci\u00f3n y la configuraci\u00f3n de una instalaci\u00f3n CMS360 espec\u00edfica."}], "id": "CVE-2023-6341", "lastModified": "2023-12-08T15:22:34.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}, "published": "2023-11-30T18:15:08.180", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Product"], "url": "https://catalisgov.com/courts-land-records-support/"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://github.com/qwell/disorder-in-the-court/blob/main/README-Catalis.md"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://techcrunch.com/2023/11/30/us-court-records-systems-vulnerabilities-exposed-sealed-documents/"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/alerts/2023/11/30/multiple-vulnerabilities-affecting-web-based-court-case-and-document-management-systems"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}