CVE-2023-32755 - Vulnerability Details - OpenCVE

Description

e-Excellence U-Office Force generates an error message in webiste service. An unauthenticated remote attacker can obtain partial sensitive system information from error message by sending a crafted command.

Published: 2023-08-25

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

e-Excellence

U-Office Force

unaffected

Version	Status	Constraints
`20.0.7668D`	affected	—

Configuration 1 [-]

cpe:2.3:a:edetw:u-office_force:20.0.7668d:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update version to 24.50SP1 or later.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-36980	e-Excellence U-Office Force generates an error message in webiste service. An unauthenticated remote attacker can obtain partial sensitive system information from error message by sending a crafted command.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0016.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-7328-d4112-1.html

History

Wed, 02 Oct 2024 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Edetw U-office Force

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2023-08-25T06:48:31.747Z

Updated: 2024-10-02T17:40:29.138Z

Reserved: 2023-05-15T02:46:49.300Z

Link: CVE-2023-32755

Vulnrichment

Updated: 2024-08-02T15:25:37.096Z

NVD

Status : Modified

Published: 2023-08-25T07:15:08.273

Modified: 2024-11-21T08:03:58.940

Link: CVE-2023-32755

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-209

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-32755", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2023-05-15T02:46:49.300Z", "datePublished": "2023-08-25T06:48:31.747Z", "dateUpdated": "2024-10-02T17:40:29.138Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "U-Office Force", "vendor": "e-Excellence", "versions": [{"status": "affected", "version": "20.0.7668D"}]}], "datePublic": "2023-08-31T01:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">e-Excellence U-Office Force generates an error message in webiste service. An unauthenticated remote attacker can obtain partial sensitive system information from error message by sending a crafted command.</span>\n\n"}], "value": "\ne-Excellence U-Office Force generates an error message in webiste service. An unauthenticated remote attacker can obtain partial sensitive system information from error message by sending a crafted command.\n\n"}], "impacts": [{"capecId": "CAPEC-54", "descriptions": [{"lang": "en", "value": "CAPEC-54 Query System for Information"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2023-08-25T07:14:01.725Z"}, "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7328-d4112-1.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update version to 24.50SP1 or later."}], "value": "Update version to 24.50SP1 or later."}], "source": {"advisory": "TVN-202308001", "discovery": "EXTERNAL"}, "title": "e-Excellence U-Office Force - Error Message Leakage", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:25:37.096Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7328-d4112-1.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-02T17:40:16.197605Z", "id": "CVE-2023-32755", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-02T17:40:29.138Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7328-d4112-1.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:25:37.096Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-32755", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-02T17:40:16.197605Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-02T17:40:25.239Z"}}], "cna": {"title": "e-Excellence U-Office Force - Error Message Leakage", "source": {"advisory": "TVN-202308001", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-54", "descriptions": [{"lang": "en", "value": "CAPEC-54 Query System for Information"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "e-Excellence", "product": "U-Office Force", "versions": [{"status": "affected", "version": "20.0.7668D"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update version to 24.50SP1 or later.", "supportingMedia": [{"type": "text/html", "value": "Update version to 24.50SP1 or later.", "base64": false}]}], "datePublic": "2023-08-31T01:00:00.000Z", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7328-d4112-1.html"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "\ne-Excellence U-Office Force generates an error message in webiste service. An unauthenticated remote attacker can obtain partial sensitive system information from error message by sending a crafted command.\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">e-Excellence U-Office Force generates an error message in webiste service. An unauthenticated remote attacker can obtain partial sensitive system information from error message by sending a crafted command.</span>\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-209", "description": "CWE-209 Generation of Error Message Containing Sensitive Information"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2023-08-25T07:14:01.725Z"}}}, "cveMetadata": {"cveId": "CVE-2023-32755", "state": "PUBLISHED", "dateUpdated": "2024-10-02T17:40:29.138Z", "dateReserved": "2023-05-15T02:46:49.300Z", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "datePublished": "2023-08-25T06:48:31.747Z", "assignerShortName": "twcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:edetw:u-office_force:20.0.7668d:*:*:*:*:*:*:*", "matchCriteriaId": "E126F0A9-0B99-408C-84B9-9326613FF6FF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\ne-Excellence U-Office Force generates an error message in webiste service. An unauthenticated remote attacker can obtain partial sensitive system information from error message by sending a crafted command.\n\n"}, {"lang": "es", "value": "e-Excellence U-Office Force genera un mensaje de error en el servicio del sitio web. Un atacante remoto no autenticado puede obtener informaci\u00f3n confidencial parcial del sistema a partir de un mensaje de error enviando un comando manipulado."}], "id": "CVE-2023-32755", "lastModified": "2024-11-21T08:03:58.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "twcert@cert.org.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-25T07:15:08.273", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7328-d4112-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7328-d4112-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "twcert@cert.org.tw", "type": "Secondary"}]}