Search criteria
9 vulnerabilities found for server by 4d
FKIE_CVE-2023-4770
Vulnerability from fkie_nvd - Published: 2023-11-30 14:15 - Updated: 2024-11-21 08:35
Severity ?
6.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. This vulnerability consists in a DLL hijacking by replacing x64 shfolder.dll in the installation path, causing an arbitrary code execution.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:4d:4d:19:r8:*:*:*:*:*:*",
"matchCriteriaId": "626249AD-1971-4665-B370-221B29BC7644",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:4d:server:19:r8:*:*:*:*:*:*",
"matchCriteriaId": "7677CD7F-7041-433F-ACC2-FAF967509CC8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. This vulnerability consists in a DLL hijacking by replacing x64 shfolder.dll in the installation path, causing an arbitrary code execution."
},
{
"lang": "es",
"value": "Se ha encontrado una vulnerabilidad no controlada en un elemento de ruta de b\u00fasqueda en aplicaciones ejecutables de Windows de 4D y 4D server, afectando a la versi\u00f3n 19 R8 100218. Esta vulnerabilidad consiste en un secuestro de DLL reemplazando x64 shfolder.dll en la ruta de instalaci\u00f3n, provocando la ejecuci\u00f3n de c\u00f3digo arbitrario."
}
],
"id": "CVE-2023-4770",
"lastModified": "2024-11-21T08:35:56.800",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.6,
"impactScore": 5.9,
"source": "cve-coordination@incibe.es",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-30T14:15:11.880",
"references": [
{
"source": "cve-coordination@incibe.es",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/uncontrolled-search-path-element-vulnerability-4d-and-4d-windows-server"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/uncontrolled-search-path-element-vulnerability-4d-and-4d-windows-server"
}
],
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-427"
}
],
"source": "cve-coordination@incibe.es",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-30222
Vulnerability from fkie_nvd - Published: 2023-06-16 17:15 - Updated: 2024-11-21 07:59
Severity ?
Summary
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to retrieve password hashes for all users via eavesdropping.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:4d:server:17:*:*:*:*:*:*:*",
"matchCriteriaId": "D7342973-0BD3-4C09-87D4-BBCA31B84A88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:4d:server:18:-:*:*:*:*:*:*",
"matchCriteriaId": "D1FA8D11-BBB0-4A10-95CE-FED4448A233C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:4d:server:18:r5:*:*:*:*:*:*",
"matchCriteriaId": "29C6A752-ACED-46A2-AAE7-534B19EC5735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:4d:server:19:-:*:*:*:*:*:*",
"matchCriteriaId": "43EA872D-1084-4059-A0B4-A9272614B067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:4d:server:19:r7:*:*:*:*:*:*",
"matchCriteriaId": "78924358-0364-436E-8642-890E2264EC41",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to retrieve password hashes for all users via eavesdropping."
}
],
"id": "CVE-2023-30222",
"lastModified": "2024-11-21T07:59:55.240",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-16T17:15:11.857",
"references": [
{
"source": "cve@mitre.org",
"url": "https://blog.4d.com/security-bulletin-two-cves-and-how-to-stay-secure/"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.infigo.is/en/insights/42/information-disclosure-and-broken-authentication-in-4d-sas-4d-server/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://blog.4d.com/security-bulletin-two-cves-and-how-to-stay-secure/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.infigo.is/en/insights/42/information-disclosure-and-broken-authentication-in-4d-sas-4d-server/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-30223
Vulnerability from fkie_nvd - Published: 2023-06-16 17:15 - Updated: 2024-11-21 07:59
Severity ?
Summary
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to send crafted TCP packets containing requests to perform arbitrary actions.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:4d:server:17:*:*:*:*:*:*:*",
"matchCriteriaId": "D7342973-0BD3-4C09-87D4-BBCA31B84A88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:4d:server:18:-:*:*:*:*:*:*",
"matchCriteriaId": "D1FA8D11-BBB0-4A10-95CE-FED4448A233C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:4d:server:18:r5:*:*:*:*:*:*",
"matchCriteriaId": "29C6A752-ACED-46A2-AAE7-534B19EC5735",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:4d:server:19:-:*:*:*:*:*:*",
"matchCriteriaId": "43EA872D-1084-4059-A0B4-A9272614B067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:4d:server:19:r7:*:*:*:*:*:*",
"matchCriteriaId": "78924358-0364-436E-8642-890E2264EC41",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to send crafted TCP packets containing requests to perform arbitrary actions."
}
],
"id": "CVE-2023-30223",
"lastModified": "2024-11-21T07:59:55.393",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-16T17:15:11.897",
"references": [
{
"source": "cve@mitre.org",
"url": "https://blog.4d.com/security-bulletin-two-cves-and-how-to-stay-secure/"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.infigo.is/en/insights/42/information-disclosure-and-broken-authentication-in-4d-sas-4d-server/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://blog.4d.com/security-bulletin-two-cves-and-how-to-stay-secure/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.infigo.is/en/insights/42/information-disclosure-and-broken-authentication-in-4d-sas-4d-server/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-4770 (GCVE-0-2023-4770)
Vulnerability from cvelistv5 – Published: 2023-11-30 13:32 – Updated: 2024-08-02 07:37
VLAI?
Title
Uncontrolled Search Path Element Vulnerability in 4D and 4D Windows Server
Summary
An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. This vulnerability consists in a DLL hijacking by replacing x64 shfolder.dll in the installation path, causing an arbitrary code execution.
Severity ?
6.5 (Medium)
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| 4D | 4D.exe |
Affected:
19 R8 100218
|
|||||||
|
|||||||||
Credits
Alexander Huamán Jaimes (@zanganox)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:37:59.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/uncontrolled-search-path-element-vulnerability-4d-and-4d-windows-server"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "4D.exe",
"vendor": "4D",
"versions": [
{
"status": "affected",
"version": "19 R8 100218"
}
]
},
{
"defaultStatus": "unaffected",
"product": "4D Server.exe",
"vendor": "4D",
"versions": [
{
"status": "affected",
"version": "19 R8 100218"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Alexander Huam\u00e1n Jaimes (@zanganox)"
}
],
"datePublic": "2023-11-09T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. This vulnerability consists in a DLL hijacking by replacing x64 shfolder.dll in the installation path, causing an arbitrary code execution."
}
],
"value": "An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. This vulnerability consists in a DLL hijacking by replacing x64 shfolder.dll in the installation path, causing an arbitrary code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-30T13:32:43.408Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/uncontrolled-search-path-element-vulnerability-4d-and-4d-windows-server"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Uncontrolled Search Path Element Vulnerability in 4D and 4D Windows Server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2023-4770",
"datePublished": "2023-11-30T13:32:43.408Z",
"dateReserved": "2023-09-05T11:46:36.852Z",
"dateUpdated": "2024-08-02T07:37:59.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30222 (GCVE-0-2023-30222)
Vulnerability from cvelistv5 – Published: 2023-06-16 00:00 – Updated: 2024-08-02 14:21
VLAI?
Summary
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to retrieve password hashes for all users via eavesdropping.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:21:44.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://packetstormsecurity.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.infigo.is/en/insights/42/information-disclosure-and-broken-authentication-in-4d-sas-4d-server/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.4d.com/security-bulletin-two-cves-and-how-to-stay-secure/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to retrieve password hashes for all users via eavesdropping."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T00:32:13.699579",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://packetstormsecurity.com"
},
{
"url": "https://www.infigo.is/en/insights/42/information-disclosure-and-broken-authentication-in-4d-sas-4d-server/"
},
{
"url": "https://blog.4d.com/security-bulletin-two-cves-and-how-to-stay-secure/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-30222",
"datePublished": "2023-06-16T00:00:00",
"dateReserved": "2023-04-07T00:00:00",
"dateUpdated": "2024-08-02T14:21:44.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30223 (GCVE-0-2023-30223)
Vulnerability from cvelistv5 – Published: 2023-06-16 00:00 – Updated: 2024-08-02 14:21
VLAI?
Summary
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to send crafted TCP packets containing requests to perform arbitrary actions.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:21:44.778Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://packetstormsecurity.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.infigo.is/en/insights/42/information-disclosure-and-broken-authentication-in-4d-sas-4d-server/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.4d.com/security-bulletin-two-cves-and-how-to-stay-secure/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to send crafted TCP packets containing requests to perform arbitrary actions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T00:33:14.034308",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://packetstormsecurity.com"
},
{
"url": "https://www.infigo.is/en/insights/42/information-disclosure-and-broken-authentication-in-4d-sas-4d-server/"
},
{
"url": "https://blog.4d.com/security-bulletin-two-cves-and-how-to-stay-secure/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-30223",
"datePublished": "2023-06-16T00:00:00",
"dateReserved": "2023-04-07T00:00:00",
"dateUpdated": "2024-08-02T14:21:44.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-4770 (GCVE-0-2023-4770)
Vulnerability from nvd – Published: 2023-11-30 13:32 – Updated: 2024-08-02 07:37
VLAI?
Title
Uncontrolled Search Path Element Vulnerability in 4D and 4D Windows Server
Summary
An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. This vulnerability consists in a DLL hijacking by replacing x64 shfolder.dll in the installation path, causing an arbitrary code execution.
Severity ?
6.5 (Medium)
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| 4D | 4D.exe |
Affected:
19 R8 100218
|
|||||||
|
|||||||||
Credits
Alexander Huamán Jaimes (@zanganox)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:37:59.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/uncontrolled-search-path-element-vulnerability-4d-and-4d-windows-server"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "4D.exe",
"vendor": "4D",
"versions": [
{
"status": "affected",
"version": "19 R8 100218"
}
]
},
{
"defaultStatus": "unaffected",
"product": "4D Server.exe",
"vendor": "4D",
"versions": [
{
"status": "affected",
"version": "19 R8 100218"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Alexander Huam\u00e1n Jaimes (@zanganox)"
}
],
"datePublic": "2023-11-09T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. This vulnerability consists in a DLL hijacking by replacing x64 shfolder.dll in the installation path, causing an arbitrary code execution."
}
],
"value": "An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. This vulnerability consists in a DLL hijacking by replacing x64 shfolder.dll in the installation path, causing an arbitrary code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-30T13:32:43.408Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/uncontrolled-search-path-element-vulnerability-4d-and-4d-windows-server"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Uncontrolled Search Path Element Vulnerability in 4D and 4D Windows Server",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2023-4770",
"datePublished": "2023-11-30T13:32:43.408Z",
"dateReserved": "2023-09-05T11:46:36.852Z",
"dateUpdated": "2024-08-02T07:37:59.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30222 (GCVE-0-2023-30222)
Vulnerability from nvd – Published: 2023-06-16 00:00 – Updated: 2024-08-02 14:21
VLAI?
Summary
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to retrieve password hashes for all users via eavesdropping.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:21:44.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://packetstormsecurity.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.infigo.is/en/insights/42/information-disclosure-and-broken-authentication-in-4d-sas-4d-server/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.4d.com/security-bulletin-two-cves-and-how-to-stay-secure/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to retrieve password hashes for all users via eavesdropping."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T00:32:13.699579",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://packetstormsecurity.com"
},
{
"url": "https://www.infigo.is/en/insights/42/information-disclosure-and-broken-authentication-in-4d-sas-4d-server/"
},
{
"url": "https://blog.4d.com/security-bulletin-two-cves-and-how-to-stay-secure/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-30222",
"datePublished": "2023-06-16T00:00:00",
"dateReserved": "2023-04-07T00:00:00",
"dateUpdated": "2024-08-02T14:21:44.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30223 (GCVE-0-2023-30223)
Vulnerability from nvd – Published: 2023-06-16 00:00 – Updated: 2024-08-02 14:21
VLAI?
Summary
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to send crafted TCP packets containing requests to perform arbitrary actions.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:21:44.778Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://packetstormsecurity.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.infigo.is/en/insights/42/information-disclosure-and-broken-authentication-in-4d-sas-4d-server/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.4d.com/security-bulletin-two-cves-and-how-to-stay-secure/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to send crafted TCP packets containing requests to perform arbitrary actions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T00:33:14.034308",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://packetstormsecurity.com"
},
{
"url": "https://www.infigo.is/en/insights/42/information-disclosure-and-broken-authentication-in-4d-sas-4d-server/"
},
{
"url": "https://blog.4d.com/security-bulletin-two-cves-and-how-to-stay-secure/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-30223",
"datePublished": "2023-06-16T00:00:00",
"dateReserved": "2023-04-07T00:00:00",
"dateUpdated": "2024-08-02T14:21:44.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}