Persistent XSS Vulnerability in VX Search Enterprise 10.2.14
CVE-2023-49573

6.1MEDIUM

Key Information:

Vendor: Flexense
Status: Vx Search Enterprise
Vendor: CVE Published:; 24 May 2024

What is CVE-2023-49573?

A vulnerability exists in VX Search Enterprise version 10.2.14, enabling attackers to perform persistent Cross-Site Scripting (XSS) attacks. This issue arises from improper handling of the action_value parameter within the /add_command_action endpoint, which could allow the injection and storage of malicious JavaScript code within the system. Once executed, this code may trigger whenever the page loads, thus compromising the security and integrity of the affected application. Organizations using this version should take immediate action to mitigate potential risks associated with this vulnerability.

Affected Version(s)

VX Search Enterprise 10.2.14

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 24, 2024
Vulnerability Reserved
Nov 27, 2023

Credit

Rafael Pedrero