cvelistv5 - CVE-2023-4296

CVE-2023-4296 (GCVE-0-2023-4296)

Vulnerability from cvelistv5 – Published: 2023-08-29 21:42 – Updated: 2025-02-13 17:13

Summary

If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-79 - Cross-site Scripting

Assigner

icscert

References

URL

Tags

	https://www.cisa.gov/news-events/ics-advisories/i…
	https://codebeamer.com/cb/wiki/31346480
	http://seclists.org/fulldisclosure/2023/Sep/10
	http://packetstormsecurity.com/files/174703/PTC-C…

Impacted products

	Vendor	Product	Version
	PTC	Codebeamer	Affected: 0 , ≤ v22.10-SP7 (custom) Affected: 0 , ≤ v22.04-SP5 (custom) Affected: 0 , ≤ v21.09-SP13 (custom) Unaffected: 2.0

Credits

Niklas Schilling of SEC Consult Vulnerability Lab reported this vulnerability to CISA.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:24:04.488Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://codebeamer.com/cb/wiki/31346480"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Sep/10"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4296",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-16T21:20:33.944438Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-16T21:30:47.228Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Codebeamer",
          "vendor": "PTC",
          "versions": [
            {
              "lessThanOrEqual": "v22.10-SP7",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "v22.04-SP5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "v21.09-SP13",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "2.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Niklas Schilling of SEC Consult Vulnerability Lab reported this vulnerability to CISA."
        }
      ],
      "datePublic": "2023-08-29T21:38:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u200bIf an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.\u003c/span\u003e"
            }
          ],
          "value": "\u200bIf an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-18T12:06:22.546Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01"
        },
        {
          "url": "https://codebeamer.com/cb/wiki/31346480"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Sep/10"
        },
        {
          "url": "http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ePTC recommends the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u200bVersion 22.10.X: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://intland.com/codebeamer-download/\"\u003eupgrade to 22.10-SP8\u003c/a\u003e\u0026nbsp;or newer version\u003c/li\u003e\u003cli\u003e\u200bVersion 22.04.X: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://intland.com/codebeamer-download/\"\u003eupgrade to 22.04-SP6\u003c/a\u003e\u0026nbsp;or newer version\u003c/li\u003e\u003cli\u003e\u200bVersion 21.09.X: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://intland.com/codebeamer-download/\"\u003eupgrade to 21.09-SP14\u003c/a\u003e\u0026nbsp;or newer version\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u200bDocker Image download: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://hub.docker.com/r/intland/codebeamer/tags\"\u003ehttps://hub.docker.com/r/intland/codebeamer/tags\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u200bCodebeamer installers: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://intland.com/codebeamer-download/\"\u003ehttps://intland.com/codebeamer-download/\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u200bHosted customers may \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://codebeamer.com/cb/tracker/1910563?showAll=false\"\u003erequest an upgrade through the support channel\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u200bNote that version 2.0 is not impacted by this vulnerability.\u003c/p\u003e\u003cp\u003e\u200bFor more information refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://codebeamer.com/cb/wiki/31346480\"\u003ePTC Security Advisory and Resolution\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "PTC recommends the following:\n\n  *  \u200bVersion 22.10.X:  upgrade to 22.10-SP8 https://intland.com/codebeamer-download/ \u00a0or newer version\n  *  \u200bVersion 22.04.X:  upgrade to 22.04-SP6 https://intland.com/codebeamer-download/ \u00a0or newer version\n  *  \u200bVersion 21.09.X:  upgrade to 21.09-SP14 https://intland.com/codebeamer-download/ \u00a0or newer version\n\n\n\u200bDocker Image download:  https://hub.docker.com/r/intland/codebeamer/tags https://hub.docker.com/r/intland/codebeamer/tags \n\n\u200bCodebeamer installers:  https://intland.com/codebeamer-download/ https://intland.com/codebeamer-download/ \n\n\u200bHosted customers may  request an upgrade through the support channel https://codebeamer.com/cb/tracker/1910563 .\n\n\u200bNote that version 2.0 is not impacted by this vulnerability.\n\n\u200bFor more information refer to  PTC Security Advisory and Resolution https://codebeamer.com/cb/wiki/31346480 ."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "PTC Codebeamer Cross site scripting",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2023-4296",
    "datePublished": "2023-08-29T21:42:48.880Z",
    "dateReserved": "2023-08-10T14:52:35.290Z",
    "dateUpdated": "2025-02-13T17:13:13.160Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:21.09.0:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"D8842BD8-5ADE-4F4C-892B-C7FD0BD00549\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:21.09.0:sp1:*:*:*:*:*:*\", \"matchCriteriaId\": \"4A96C543-780C-4FB8-9B66-E3A970284157\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:21.09.0:sp10:*:*:*:*:*:*\", \"matchCriteriaId\": \"869FDFD2-B254-46F1-977C-8C45FC53CF4C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:21.09.0:sp11:*:*:*:*:*:*\", \"matchCriteriaId\": \"E162A5AA-DF07-4DB9-A0ED-15CD181B3E8B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:21.09.0:sp12:*:*:*:*:*:*\", \"matchCriteriaId\": \"61E616EF-4DD8-4F24-8132-069D1839CC44\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:21.09.0:sp13:*:*:*:*:*:*\", \"matchCriteriaId\": \"4E1FFA2A-5A02-4D3E-AF1A-49F9CB751B29\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:21.09.0:sp2:*:*:*:*:*:*\", \"matchCriteriaId\": \"8EC6A60D-1117-45A3-B64F-6A3C99CCCBF2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:21.09.0:sp3:*:*:*:*:*:*\", \"matchCriteriaId\": \"82586B4B-1876-4F6A-903A-B89A50CB13DC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:21.09.0:sp4:*:*:*:*:*:*\", \"matchCriteriaId\": \"EF54ED5C-B686-4036-8EC4-C2C65D4463FD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:21.09.0:sp5:*:*:*:*:*:*\", \"matchCriteriaId\": \"D8162D88-A7D0-4BC0-A2D9-D83EC620C009\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:21.09.0:sp6:*:*:*:*:*:*\", \"matchCriteriaId\": \"FE271018-6A6F-4CDD-97AA-12F8A9DE9640\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:21.09.0:sp7:*:*:*:*:*:*\", \"matchCriteriaId\": \"21A2D6ED-17D8-4DAD-9775-02419D79DD3F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:21.09.0:sp8:*:*:*:*:*:*\", \"matchCriteriaId\": \"A099E310-FBA2-4EB1-BD86-C52686E7FA89\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:21.09.0:sp9:*:*:*:*:*:*\", \"matchCriteriaId\": \"0291CE0C-97E3-4933-9B13-6DBB616DAA60\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.04.0:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"334D6C73-8DED-4C77-9222-5534D1F3503D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.04.0:sp1:*:*:*:*:*:*\", \"matchCriteriaId\": \"7F517B94-96C4-4FD0-BB84-73CA2BA0F88B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.04.0:sp2:*:*:*:*:*:*\", \"matchCriteriaId\": \"65EA30F3-F924-42B3-BFCC-875411C0A7C7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.04.0:sp3:*:*:*:*:*:*\", \"matchCriteriaId\": \"42357940-98B9-4966-9B85-E5AB495560A6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.04.0:sp4:*:*:*:*:*:*\", \"matchCriteriaId\": \"EB8DB5F9-1972-4F06-9060-E95F8C462681\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.04.0:sp5:*:*:*:*:*:*\", \"matchCriteriaId\": \"6AD9CDC5-D62C-4CC4-9328-2C0E41300CDD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.10.0:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"A54ADF57-985E-41AB-B1DF-77E9303531E8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.10.0:sp1:*:*:*:*:*:*\", \"matchCriteriaId\": \"F94411ED-3CDA-4432-8487-2EE2DD072D6D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.10.0:sp2:*:*:*:*:*:*\", \"matchCriteriaId\": \"E4050B8C-FBA8-48CA-AF45-BC7C70235E37\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.10.0:sp3:*:*:*:*:*:*\", \"matchCriteriaId\": \"19490284-BC6A-45A0-B68D-743E139EB067\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.10.0:sp4:*:*:*:*:*:*\", \"matchCriteriaId\": \"D5CF8652-238F-4442-9AA2-B8A6FD9B681C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.10.0:sp5:*:*:*:*:*:*\", \"matchCriteriaId\": \"FC9DEE58-BD1A-47DB-918B-CE1A1D7A7866\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.10.0:sp6:*:*:*:*:*:*\", \"matchCriteriaId\": \"8948D8AB-8392-4CD8-8F8B-F59410A37BBF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.10.0:sp7:*:*:*:*:*:*\", \"matchCriteriaId\": \"A3E14B5E-A1CF-402C-B56A-C745DE28BF91\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:intland:codebeamer:22.10.0:sp8:*:*:*:*:*:*\", \"matchCriteriaId\": \"0B1F1CCA-B937-4AFB-8363-554D74DE71BD\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"\\n\\u200bIf an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.\\n\\n\"}, {\"lang\": \"es\", \"value\": \"?Si un atacante enga\\u00f1a a un usuario administrador de PTC Codebeamer para que haga clic en un v\\u00ednculo malicioso, puede permitir que el atacante inyecte c\\u00f3digo arbitrario para que se ejecute en el navegador del dispositivo de destino.\"}]",
      "id": "CVE-2023-4296",
      "lastModified": "2024-11-21T08:34:48.323",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}",
      "published": "2023-08-29T22:15:09.297",
      "references": "[{\"url\": \"http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html\", \"source\": \"ics-cert@hq.dhs.gov\"}, {\"url\": \"http://seclists.org/fulldisclosure/2023/Sep/10\", \"source\": \"ics-cert@hq.dhs.gov\"}, {\"url\": \"https://codebeamer.com/cb/wiki/31346480\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}, {\"url\": \"http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://seclists.org/fulldisclosure/2023/Sep/10\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://codebeamer.com/cb/wiki/31346480\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"US Government Resource\"]}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"ics-cert@hq.dhs.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-4296\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2023-08-29T22:15:09.297\",\"lastModified\":\"2025-02-13T17:17:17.657\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"\u200bIf an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.\"},{\"lang\":\"es\",\"value\":\"?Si un atacante enga\u00f1a a un usuario administrador de PTC Codebeamer para que haga clic en un v\u00ednculo malicioso, puede permitir que el atacante inyecte c\u00f3digo arbitrario para que se ejecute en el navegador del dispositivo de destino.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:21.09.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"D8842BD8-5ADE-4F4C-892B-C7FD0BD00549\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:21.09.0:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A96C543-780C-4FB8-9B66-E3A970284157\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:21.09.0:sp10:*:*:*:*:*:*\",\"matchCriteriaId\":\"869FDFD2-B254-46F1-977C-8C45FC53CF4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:21.09.0:sp11:*:*:*:*:*:*\",\"matchCriteriaId\":\"E162A5AA-DF07-4DB9-A0ED-15CD181B3E8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:21.09.0:sp12:*:*:*:*:*:*\",\"matchCriteriaId\":\"61E616EF-4DD8-4F24-8132-069D1839CC44\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:21.09.0:sp13:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E1FFA2A-5A02-4D3E-AF1A-49F9CB751B29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:21.09.0:sp2:*:*:*:*:*:*\",\"matchCriteriaId\":\"8EC6A60D-1117-45A3-B64F-6A3C99CCCBF2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:21.09.0:sp3:*:*:*:*:*:*\",\"matchCriteriaId\":\"82586B4B-1876-4F6A-903A-B89A50CB13DC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:21.09.0:sp4:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF54ED5C-B686-4036-8EC4-C2C65D4463FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:21.09.0:sp5:*:*:*:*:*:*\",\"matchCriteriaId\":\"D8162D88-A7D0-4BC0-A2D9-D83EC620C009\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:21.09.0:sp6:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE271018-6A6F-4CDD-97AA-12F8A9DE9640\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:21.09.0:sp7:*:*:*:*:*:*\",\"matchCriteriaId\":\"21A2D6ED-17D8-4DAD-9775-02419D79DD3F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:21.09.0:sp8:*:*:*:*:*:*\",\"matchCriteriaId\":\"A099E310-FBA2-4EB1-BD86-C52686E7FA89\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:21.09.0:sp9:*:*:*:*:*:*\",\"matchCriteriaId\":\"0291CE0C-97E3-4933-9B13-6DBB616DAA60\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.04.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"334D6C73-8DED-4C77-9222-5534D1F3503D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.04.0:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F517B94-96C4-4FD0-BB84-73CA2BA0F88B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.04.0:sp2:*:*:*:*:*:*\",\"matchCriteriaId\":\"65EA30F3-F924-42B3-BFCC-875411C0A7C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.04.0:sp3:*:*:*:*:*:*\",\"matchCriteriaId\":\"42357940-98B9-4966-9B85-E5AB495560A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.04.0:sp4:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB8DB5F9-1972-4F06-9060-E95F8C462681\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.04.0:sp5:*:*:*:*:*:*\",\"matchCriteriaId\":\"6AD9CDC5-D62C-4CC4-9328-2C0E41300CDD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.10.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"A54ADF57-985E-41AB-B1DF-77E9303531E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.10.0:sp1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F94411ED-3CDA-4432-8487-2EE2DD072D6D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.10.0:sp2:*:*:*:*:*:*\",\"matchCriteriaId\":\"E4050B8C-FBA8-48CA-AF45-BC7C70235E37\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.10.0:sp3:*:*:*:*:*:*\",\"matchCriteriaId\":\"19490284-BC6A-45A0-B68D-743E139EB067\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.10.0:sp4:*:*:*:*:*:*\",\"matchCriteriaId\":\"D5CF8652-238F-4442-9AA2-B8A6FD9B681C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.10.0:sp5:*:*:*:*:*:*\",\"matchCriteriaId\":\"FC9DEE58-BD1A-47DB-918B-CE1A1D7A7866\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.10.0:sp6:*:*:*:*:*:*\",\"matchCriteriaId\":\"8948D8AB-8392-4CD8-8F8B-F59410A37BBF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.10.0:sp7:*:*:*:*:*:*\",\"matchCriteriaId\":\"A3E14B5E-A1CF-402C-B56A-C745DE28BF91\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:intland:codebeamer:22.10.0:sp8:*:*:*:*:*:*\",\"matchCriteriaId\":\"0B1F1CCA-B937-4AFB-8363-554D74DE71BD\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"http://seclists.org/fulldisclosure/2023/Sep/10\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://codebeamer.com/cb/wiki/31346480\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://seclists.org/fulldisclosure/2023/Sep/10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://codebeamer.com/cb/wiki/31346480\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://codebeamer.com/cb/wiki/31346480\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2023/Sep/10\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T07:24:04.488Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-4296\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-16T21:20:33.944438Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-16T21:20:35.352Z\"}}], \"cna\": {\"title\": \"PTC Codebeamer Cross site scripting\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Niklas Schilling of SEC Consult Vulnerability Lab reported this vulnerability to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"PTC\", \"product\": \"Codebeamer\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"v22.10-SP7\"}, {\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"v22.04-SP5\"}, {\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"v21.09-SP13\"}, {\"status\": \"unaffected\", \"version\": \"2.0\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"\\nPTC recommends the following:\\n\\n  *  \\u200bVersion 22.10.X:  upgrade to 22.10-SP8 https://intland.com/codebeamer-download/ \\u00a0or newer version\\n  *  \\u200bVersion 22.04.X:  upgrade to 22.04-SP6 https://intland.com/codebeamer-download/ \\u00a0or newer version\\n  *  \\u200bVersion 21.09.X:  upgrade to 21.09-SP14 https://intland.com/codebeamer-download/ \\u00a0or newer version\\n\\n\\n\\u200bDocker Image download:  https://hub.docker.com/r/intland/codebeamer/tags https://hub.docker.com/r/intland/codebeamer/tags \\n\\n\\u200bCodebeamer installers:  https://intland.com/codebeamer-download/ https://intland.com/codebeamer-download/ \\n\\n\\u200bHosted customers may  request an upgrade through the support channel https://codebeamer.com/cb/tracker/1910563 .\\n\\n\\u200bNote that version 2.0 is not impacted by this vulnerability.\\n\\n\\u200bFor more information refer to  PTC Security Advisory and Resolution https://codebeamer.com/cb/wiki/31346480 .\\n\\n\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\\n\\n\u003cp\u003ePTC recommends the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\\u200bVersion 22.10.X: \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://intland.com/codebeamer-download/\\\"\u003eupgrade to 22.10-SP8\u003c/a\u003e\u0026nbsp;or newer version\u003c/li\u003e\u003cli\u003e\\u200bVersion 22.04.X: \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://intland.com/codebeamer-download/\\\"\u003eupgrade to 22.04-SP6\u003c/a\u003e\u0026nbsp;or newer version\u003c/li\u003e\u003cli\u003e\\u200bVersion 21.09.X: \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://intland.com/codebeamer-download/\\\"\u003eupgrade to 21.09-SP14\u003c/a\u003e\u0026nbsp;or newer version\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\\u200bDocker Image download: \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://hub.docker.com/r/intland/codebeamer/tags\\\"\u003ehttps://hub.docker.com/r/intland/codebeamer/tags\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\\u200bCodebeamer installers: \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://intland.com/codebeamer-download/\\\"\u003ehttps://intland.com/codebeamer-download/\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\\u200bHosted customers may \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://codebeamer.com/cb/tracker/1910563?showAll=false\\\"\u003erequest an upgrade through the support channel\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\\u200bNote that version 2.0 is not impacted by this vulnerability.\u003c/p\u003e\u003cp\u003e\\u200bFor more information refer to \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://codebeamer.com/cb/wiki/31346480\\\"\u003ePTC Security Advisory and Resolution\u003c/a\u003e.\u003c/p\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"datePublic\": \"2023-08-29T21:38:00.000Z\", \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01\"}, {\"url\": \"https://codebeamer.com/cb/wiki/31346480\"}, {\"url\": \"http://seclists.org/fulldisclosure/2023/Sep/10\"}, {\"url\": \"http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"\\n\\u200bIf an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\\u200bIf an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.\u003c/span\u003e\\n\\n\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Cross-site Scripting\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2023-08-31T14:44:51.524Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-4296\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-16T21:30:47.228Z\", \"dateReserved\": \"2023-08-10T14:52:35.290Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2023-08-29T21:42:48.880Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2023-4296

Vulnerability from fkie_nvd - Published: 2023-08-29 22:15 - Updated: 2025-02-13 17:17

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.

References

URL	Tags
ics-cert@hq.dhs.gov	http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html
ics-cert@hq.dhs.gov	http://seclists.org/fulldisclosure/2023/Sep/10
ics-cert@hq.dhs.gov	https://codebeamer.com/cb/wiki/31346480	Vendor Advisory
ics-cert@hq.dhs.gov	https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2023/Sep/10
af854a3a-2127-422b-91ae-364da2661108	https://codebeamer.com/cb/wiki/31346480	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01	Third Party Advisory, US Government Resource

Impacted products

Vendor	Product	Version
intland	codebeamer	21.09.0
intland	codebeamer	21.09.0
intland	codebeamer	21.09.0
intland	codebeamer	21.09.0
intland	codebeamer	21.09.0
intland	codebeamer	21.09.0
intland	codebeamer	21.09.0
intland	codebeamer	21.09.0
intland	codebeamer	21.09.0
intland	codebeamer	21.09.0
intland	codebeamer	21.09.0
intland	codebeamer	21.09.0
intland	codebeamer	21.09.0
intland	codebeamer	21.09.0
intland	codebeamer	22.04.0
intland	codebeamer	22.04.0
intland	codebeamer	22.04.0
intland	codebeamer	22.04.0
intland	codebeamer	22.04.0
intland	codebeamer	22.04.0
intland	codebeamer	22.10.0
intland	codebeamer	22.10.0
intland	codebeamer	22.10.0
intland	codebeamer	22.10.0
intland	codebeamer	22.10.0
intland	codebeamer	22.10.0
intland	codebeamer	22.10.0
intland	codebeamer	22.10.0
intland	codebeamer	22.10.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:21.09.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "D8842BD8-5ADE-4F4C-892B-C7FD0BD00549",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:21.09.0:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "4A96C543-780C-4FB8-9B66-E3A970284157",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:21.09.0:sp10:*:*:*:*:*:*",
              "matchCriteriaId": "869FDFD2-B254-46F1-977C-8C45FC53CF4C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:21.09.0:sp11:*:*:*:*:*:*",
              "matchCriteriaId": "E162A5AA-DF07-4DB9-A0ED-15CD181B3E8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:21.09.0:sp12:*:*:*:*:*:*",
              "matchCriteriaId": "61E616EF-4DD8-4F24-8132-069D1839CC44",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:21.09.0:sp13:*:*:*:*:*:*",
              "matchCriteriaId": "4E1FFA2A-5A02-4D3E-AF1A-49F9CB751B29",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:21.09.0:sp2:*:*:*:*:*:*",
              "matchCriteriaId": "8EC6A60D-1117-45A3-B64F-6A3C99CCCBF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:21.09.0:sp3:*:*:*:*:*:*",
              "matchCriteriaId": "82586B4B-1876-4F6A-903A-B89A50CB13DC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:21.09.0:sp4:*:*:*:*:*:*",
              "matchCriteriaId": "EF54ED5C-B686-4036-8EC4-C2C65D4463FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:21.09.0:sp5:*:*:*:*:*:*",
              "matchCriteriaId": "D8162D88-A7D0-4BC0-A2D9-D83EC620C009",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:21.09.0:sp6:*:*:*:*:*:*",
              "matchCriteriaId": "FE271018-6A6F-4CDD-97AA-12F8A9DE9640",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:21.09.0:sp7:*:*:*:*:*:*",
              "matchCriteriaId": "21A2D6ED-17D8-4DAD-9775-02419D79DD3F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:21.09.0:sp8:*:*:*:*:*:*",
              "matchCriteriaId": "A099E310-FBA2-4EB1-BD86-C52686E7FA89",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:21.09.0:sp9:*:*:*:*:*:*",
              "matchCriteriaId": "0291CE0C-97E3-4933-9B13-6DBB616DAA60",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.04.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "334D6C73-8DED-4C77-9222-5534D1F3503D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.04.0:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "7F517B94-96C4-4FD0-BB84-73CA2BA0F88B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.04.0:sp2:*:*:*:*:*:*",
              "matchCriteriaId": "65EA30F3-F924-42B3-BFCC-875411C0A7C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.04.0:sp3:*:*:*:*:*:*",
              "matchCriteriaId": "42357940-98B9-4966-9B85-E5AB495560A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.04.0:sp4:*:*:*:*:*:*",
              "matchCriteriaId": "EB8DB5F9-1972-4F06-9060-E95F8C462681",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.04.0:sp5:*:*:*:*:*:*",
              "matchCriteriaId": "6AD9CDC5-D62C-4CC4-9328-2C0E41300CDD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.10.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "A54ADF57-985E-41AB-B1DF-77E9303531E8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.10.0:sp1:*:*:*:*:*:*",
              "matchCriteriaId": "F94411ED-3CDA-4432-8487-2EE2DD072D6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.10.0:sp2:*:*:*:*:*:*",
              "matchCriteriaId": "E4050B8C-FBA8-48CA-AF45-BC7C70235E37",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.10.0:sp3:*:*:*:*:*:*",
              "matchCriteriaId": "19490284-BC6A-45A0-B68D-743E139EB067",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.10.0:sp4:*:*:*:*:*:*",
              "matchCriteriaId": "D5CF8652-238F-4442-9AA2-B8A6FD9B681C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.10.0:sp5:*:*:*:*:*:*",
              "matchCriteriaId": "FC9DEE58-BD1A-47DB-918B-CE1A1D7A7866",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.10.0:sp6:*:*:*:*:*:*",
              "matchCriteriaId": "8948D8AB-8392-4CD8-8F8B-F59410A37BBF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.10.0:sp7:*:*:*:*:*:*",
              "matchCriteriaId": "A3E14B5E-A1CF-402C-B56A-C745DE28BF91",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:intland:codebeamer:22.10.0:sp8:*:*:*:*:*:*",
              "matchCriteriaId": "0B1F1CCA-B937-4AFB-8363-554D74DE71BD",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "\u200bIf an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device."
    },
    {
      "lang": "es",
      "value": "?Si un atacante enga\u00f1a a un usuario administrador de PTC Codebeamer para que haga clic en un v\u00ednculo malicioso, puede permitir que el atacante inyecte c\u00f3digo arbitrario para que se ejecute en el navegador del dispositivo de destino."
    }
  ],
  "id": "CVE-2023-4296",
  "lastModified": "2025-02-13T17:17:17.657",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "ics-cert@hq.dhs.gov",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-08-29T22:15:09.297",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "http://seclists.org/fulldisclosure/2023/Sep/10"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://codebeamer.com/cb/wiki/31346480"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://seclists.org/fulldisclosure/2023/Sep/10"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://codebeamer.com/cb/wiki/31346480"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Primary"
    }
  ]
}

GHSA-QJ2Q-GQRJ-FH7G

Vulnerability from github – Published: 2023-08-30 00:30 – Updated: 2025-02-13 18:31

Details

?If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-4296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-29T22:15:09Z",
    "severity": "MODERATE"
  },
  "details": "?If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.",
  "id": "GHSA-qj2q-gqrj-fh7g",
  "modified": "2025-02-13T18:31:51Z",
  "published": "2023-08-30T00:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4296"
    },
    {
      "type": "WEB",
      "url": "https://codebeamer.com/cb/wiki/31346480"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Sep/10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2023-4296

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.

Aliases

CVE-2023-4296

Aliases

CVE-2023-4296

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-4296",
    "id": "GSD-2023-4296"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-4296"
      ],
      "details": "\n\u200bIf an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.\n\n",
      "id": "GSD-2023-4296",
      "modified": "2023-12-13T01:20:27.054468Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "ID": "CVE-2023-4296",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Codebeamer",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "not down converted",
                          "x_cve_json_5_version_data": {
                            "defaultStatus": "unaffected",
                            "versions": [
                              {
                                "lessThanOrEqual": "v22.10-SP7",
                                "status": "affected",
                                "version": "0",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "v22.04-SP5",
                                "status": "affected",
                                "version": "0",
                                "versionType": "custom"
                              },
                              {
                                "lessThanOrEqual": "v21.09-SP13",
                                "status": "affected",
                                "version": "0",
                                "versionType": "custom"
                              },
                              {
                                "status": "unaffected",
                                "version": "2.0"
                              }
                            ]
                          }
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "PTC"
            }
          ]
        }
      },
      "credits": [
        {
          "lang": "en",
          "value": "Niklas Schilling of SEC Consult Vulnerability Lab reported this vulnerability to CISA."
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "\n\u200bIf an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.\n\n"
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-79",
                "lang": "eng",
                "value": "CWE-79 Cross-site Scripting"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01",
            "refsource": "MISC",
            "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01"
          },
          {
            "name": "https://codebeamer.com/cb/wiki/31346480",
            "refsource": "MISC",
            "url": "https://codebeamer.com/cb/wiki/31346480"
          },
          {
            "name": "http://seclists.org/fulldisclosure/2023/Sep/10",
            "refsource": "MISC",
            "url": "http://seclists.org/fulldisclosure/2023/Sep/10"
          },
          {
            "name": "http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html"
          }
        ]
      },
      "solution": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cp\u003ePTC recommends the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u200bVersion 22.10.X: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://intland.com/codebeamer-download/\"\u003eupgrade to 22.10-SP8\u003c/a\u003e\u0026nbsp;or newer version\u003c/li\u003e\u003cli\u003e\u200bVersion 22.04.X: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://intland.com/codebeamer-download/\"\u003eupgrade to 22.04-SP6\u003c/a\u003e\u0026nbsp;or newer version\u003c/li\u003e\u003cli\u003e\u200bVersion 21.09.X: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://intland.com/codebeamer-download/\"\u003eupgrade to 21.09-SP14\u003c/a\u003e\u0026nbsp;or newer version\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u200bDocker Image download: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://hub.docker.com/r/intland/codebeamer/tags\"\u003ehttps://hub.docker.com/r/intland/codebeamer/tags\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u200bCodebeamer installers: \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://intland.com/codebeamer-download/\"\u003ehttps://intland.com/codebeamer-download/\u003c/a\u003e\u003c/p\u003e\u003cp\u003e\u200bHosted customers may \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://codebeamer.com/cb/tracker/1910563?showAll=false\"\u003erequest an upgrade through the support channel\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u200bNote that version 2.0 is not impacted by this vulnerability.\u003c/p\u003e\u003cp\u003e\u200bFor more information refer to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://codebeamer.com/cb/wiki/31346480\"\u003ePTC Security Advisory and Resolution\u003c/a\u003e.\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "\nPTC recommends the following:\n\n  *  \u200bVersion 22.10.X:  upgrade to 22.10-SP8 https://intland.com/codebeamer-download/ \u00a0or newer version\n  *  \u200bVersion 22.04.X:  upgrade to 22.04-SP6 https://intland.com/codebeamer-download/ \u00a0or newer version\n  *  \u200bVersion 21.09.X:  upgrade to 21.09-SP14 https://intland.com/codebeamer-download/ \u00a0or newer version\n\n\n\u200bDocker Image download:  https://hub.docker.com/r/intland/codebeamer/tags https://hub.docker.com/r/intland/codebeamer/tags \n\n\u200bCodebeamer installers:  https://intland.com/codebeamer-download/ https://intland.com/codebeamer-download/ \n\n\u200bHosted customers may  request an upgrade through the support channel https://codebeamer.com/cb/tracker/1910563 .\n\n\u200bNote that version 2.0 is not impacted by this vulnerability.\n\n\u200bFor more information refer to  PTC Security Advisory and Resolution https://codebeamer.com/cb/wiki/31346480 .\n\n\n\n\n"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:21.09.0:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:21.09.0:sp1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:21.09.0:sp2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:21.09.0:sp3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:21.09.0:sp4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:21.09.0:sp5:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:21.09.0:sp6:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:21.09.0:sp7:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:21.09.0:sp8:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:21.09.0:sp9:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:21.09.0:sp10:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:21.09.0:sp11:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:21.09.0:sp12:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:21.09.0:sp13:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.04.0:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.04.0:sp1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.04.0:sp2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.04.0:sp3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.04.0:sp4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.04.0:sp5:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.10.0:sp1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.10.0:sp2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.10.0:sp3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.10.0:sp4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.10.0:sp5:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.10.0:sp6:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.10.0:sp7:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.10.0:sp8:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:intland:codebeamer:22.10.0:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2023-4296"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "\n?If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.\n\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://codebeamer.com/cb/wiki/31346480",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://codebeamer.com/cb/wiki/31346480"
            },
            {
              "name": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01"
            },
            {
              "name": "http://seclists.org/fulldisclosure/2023/Sep/10",
              "refsource": "MISC",
              "tags": [],
              "url": "http://seclists.org/fulldisclosure/2023/Sep/10"
            },
            {
              "name": "http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html",
              "refsource": "MISC",
              "tags": [],
              "url": "http://packetstormsecurity.com/files/174703/PTC-Codebeamer-Cross-Site-Scripting.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2023-09-18T16:15Z",
      "publishedDate": "2023-08-29T22:15Z"
    }
  }
}

ICSA-23-241-01

Vulnerability from csaf_cisa - Published: 2023-08-29 06:00 - Updated: 2023-08-29 06:00

Summary

PTC Codebeamer

Notes

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of this vulnerability could allow an attacker to inject arbitrary code into the target's browser.

Critical infrastructure sectors

Multiple

Countries/areas deployed

Worldwide

Company headquarters location

United States

Recommended Practices

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Recommended Practices

Do not click web links or open attachments in unsolicited email messages.

Recommended Practices

Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.

Recommended Practices

Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

Recommended Practices

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

Recommended Practices

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Recommended Practices

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Recommended Practices

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Niklas Schilling"
        ],
        "organization": "SEC Consult Vulnerability Lab",
        "summary": "reporting this vulnerability to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could allow an attacker to inject arbitrary code into the target\u0027s browser.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Multiple",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA also recommends users take the following measures to protect themselves from social engineering attacks:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Do not click web links or open attachments in unsolicited email messages.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.",
        "title": "Recommended Practices"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "central@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-23-241-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2023/icsa-23-241-01.json"
      },
      {
        "category": "self",
        "summary": "ICSA Advisory ICSA-23-241-01 - Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-241-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/publications/emailscams0905.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ncas/tips/ST04-014"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/topics/industrial-control-systems"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "PTC Codebeamer",
    "tracking": {
      "current_release_date": "2023-08-29T06:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-23-241-01",
      "initial_release_date": "2023-08-29T06:00:00.000000Z",
      "revision_history": [
        {
          "date": "2023-08-29T06:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "Initial Publication"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 22.10-SP6",
                "product": {
                  "name": "Codebeamer 22.10.X: \u003c= 22.10-SP6",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Codebeamer 22.10.X"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 22.04-SP2",
                "product": {
                  "name": "Codebeamer 22.04.X: \u003c= 22.04-SP2",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Codebeamer 22.04.X"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 21.09-SP13",
                "product": {
                  "name": "Codebeamer 21.09.X: \u003c= 21.09-SP13",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "Codebeamer 21.09.X"
          }
        ],
        "category": "vendor",
        "name": "PTC"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-4296",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "If an attacker tricks an admin user of PTC Codebeamer into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device.",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002",
          "CSAFPID-0003"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4296"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "PTC recommends the following:",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Codebeamer 22.10.X: upgrade to 22.10-SP7 or newer version",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Codebeamer 22.04.X: upgrade to 22.04-SP3 or newer version",
          "product_ids": [
            "CSAFPID-0002"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Codebeamer 21.09.X: upgrade to 21.09-SP14 or newer version",
          "product_ids": [
            "CSAFPID-0003"
          ]
        },
        {
          "category": "mitigation",
          "details": "Docker Image download: https://hub.docker.com/r/intland/codebeamer/tags",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "https://hub.docker.com/r/intland/codebeamer/tags"
        },
        {
          "category": "mitigation",
          "details": "Codebeamer installers: https://intland.com/codebeamer-download/",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "https://intland.com/codebeamer-download/"
        },
        {
          "category": "mitigation",
          "details": "Hosted customers may request an upgrade through the support channel. Note that version 2.0 is not impacted by this vulnerability.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "https://codebeamer.com/cb/tracker/1910563?showAll=false"
        },
        {
          "category": "mitigation",
          "details": "For more information refer to PTC Security Advisory and Resolution.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ],
          "url": "https://codebeamer.com/cb/wiki/31346480"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002",
            "CSAFPID-0003"
          ]
        }
      ]
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-4296 (GCVE-0-2023-4296)

FKIE_CVE-2023-4296

GHSA-QJ2Q-GQRJ-FH7G

GSD-2023-4296

ICSA-23-241-01

Tags

Sightings

Nomenclature