CVE-2023-31450

Опубликовано: 09 авг. 2023

Источник: nvd

CVSS3: 4.7

EPSS Низкий

Описание

A path traversal vulnerability was identified in the SQL v2 sensors in PRTG 23.2.84.1566 and earlier versions where an authenticated user with write permissions could trick the SQL v2 sensors into behaving differently for existing files and non-existing files. This made it possible to traverse paths, allowing the sensor to execute files outside the designated custom sensors folder. The severity of this vulnerability is medium and received a score of 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Ссылки

https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520
Vendor Advisory
https://www.paessler.com/prtg/history/stable
Release Notes
https://kb.paessler.com/en/topic/91845-multiple-vulnerabilites-fixed-in-paessler-prtg-network-monitor-23-3-86-1520
Vendor Advisory
https://www.paessler.com/prtg/history/stable
Release Notes

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:paessler:prtg_network_monitor:*:*:*:*:*:*:*:*

Версия до 23.3.86.1520 (исключая)

EPSS

Процентиль: 27%

0.00097

Низкий

4.7 Medium

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-fmpq-jp35-g5hj

CVSS3: 5.4

github

больше 2 лет назад

An issue was discovered in Paessler PRTG Network Monitor 23.2.83.1760 x64. To exploit the vulnerability, a authenticated user can create a SQL Sensor. When creating this sensor, the user can set the SQL message that should be sent from the PRTG device. This input parameter contains a path traversal vulnerability that allows an attacker to choose arbitrary files from the system. They will be transmitted over the internet to the attacker's machine.