Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-27335— Softing edgeAggregator Client Cross-Site Scripting Remote Code Execution Vulnerability

EPSS 0.55% · P68
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-27335

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Softing edgeAggregator Client Cross-Site Scripting Remote Code Execution Vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
Softing edgeAggregator Client Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Softing edgeAggregator. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the input parameters provided to the edgeAggregetor client. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20504.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Softing edgeAggregator 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Softing edgeAggregator是Softing的一个灵活且基于容器的解决方案,用于管理OT/IT集成到边缘和云应用的复杂系统架构。 Softing edgeAggregator 存在安全漏洞,该漏洞源于提供给 EdgeAggregetor 客户端的输入参数缺乏对用户提供的数据进行适当验证,可能导致任意脚本的注入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
SoftingedgeAggregator 3.40 -

II. Public POCs for CVE-2023-27335

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-27335

登录查看更多情报信息。

Same Patch Batch · Softing · 2024-05-03 · 9 CVEs total

CVE-2023-39480Softing Secure Integration Server FileDirectory OPC UA Object Arbitrary File Creation Vuln
CVE-2023-39481Softing Secure Integration Server Interpretation Conflict Remote Code Execution Vulnerabil
CVE-2023-39482Softing Secure Integration Server Hardcoded Cryptographic Key Information Disclosure Vulne
CVE-2023-39479Softing Secure Integration Server OPC UA Gateway Directory Creation Vulnerability
CVE-2023-39478Softing Secure Integration Server Exposure of Resource to Wrong Sphere Remote Code Executi
CVE-2023-38125Softing edgeAggregator Permissive Cross-domain Policy with Untrusted Domains Remote Code E
CVE-2023-27334Softing edgeConnector Siemens ConditionRefresh Resource Exhaustion Denial-of-Service Vulne
CVE-2023-27336Softing edgeConnector Siemens OPC UA Server Null Pointer Dereference Denial-of-Service Vul

IV. Related Vulnerabilities

Same product: edgeAggregator
Same vendor: Softing
Same weakness: CWE-79

V. Comments for CVE-2023-27335

No comments yet

Leave a comment