CVE-2023-23366 — Vulnetix

Try Vulnetix Request Demo

CVE-2023-23366 PUBLISHED CVSS 7.699999809265137 HIGH

On Feb 15, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the DMG file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to access sensitive information on an affected device. This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process.

EPSS 0.15% · 35.0th percentile

Risk Scores

CVSS v3.1

7.699999809265137

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS Score

0.15%

35.0th percentile

Affected Products

Vendor	Product	Versions
qnap	music_station	5.3.0
QNAP Systems Inc.	Music Station	5.3.x
Cisco	Cisco Secure Endpoint	6.1.5, 6.1.7, 6.1.9

Timeline

Feb 17, 2023 PoC Published
Oct 6, 2023 CVE Published
Oct 7, 2023 EPSS Score
Nov 7, 2023 EPSS Score
Dec 8, 2023 EPSS Score
Jan 8, 2024 EPSS Score
Feb 8, 2024 EPSS Score
Mar 10, 2024 EPSS Score
Apr 10, 2024 EPSS Score
May 11, 2024 EPSS Score
Jun 11, 2024 EPSS Score
Jul 12, 2024 EPSS Score

References

Open in Interactive Console →