H2O Local File Include
CVE-2023-6013

9.3CRITICAL

Key Information:

Vendor: H2oai
Status: H2oai/h2o-3
Vendor: CVE Published:; 16 November 2023

What is CVE-2023-6013?

The H2O web server is vulnerable to a stored cross-site scripting (XSS) attack that can permit malicious actors to inject arbitrary scripts into web applications. This vulnerability may escalate to local file inclusion, compromising the integrity of the server and sensitive data. Attackers could exploit this weakness to execute unauthorized commands or gain access to restricted files, highlighting the importance of ensuring server configurations and applying timely updates.

Affected Version(s)

h2oai/h2o-3 <= unspecified

References

https://huntr.com/bounties/9881569f-dc2a-437e-86b0-20d4b7...

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 16, 2023
Vulnerability Reserved
Nov 8, 2023

CVE-2023-6013 Data

JSON

H2oai

What is CVE-2023-6013?

Affected Version(s)

References

CVSS V3.1

Timeline