Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-38125— Softing edgeAggregator Permissive Cross-domain Policy with Untrusted Domains Remote Code Execution Vulnerability

EPSS 0.66% · P71
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-38125

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Softing edgeAggregator Permissive Cross-domain Policy with Untrusted Domains Remote Code Execution Vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
Softing edgeAggregator Permissive Cross-domain Policy with Untrusted Domains Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Softing edgeAggregator. Authentication is required to exploit this vulnerability. The specific flaw exists within the configuration of the web server. The issue results from the lack of appropriate Content Security Policy headers. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of root. Was ZDI-CAN-20542.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
过度许可的跨域白名单
Source: NVD (National Vulnerability Database)
Vulnerability Title
Softing edgeAggregator 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Softing edgeAggregator是Softing的一个灵活且基于容器的解决方案,用于管理OT/IT集成到边缘和云应用的复杂系统架构。 Softing edgeAggregator 存在安全漏洞,该漏洞源于Web 服务器的配置中缺乏适当的内容安全策略标头,攻击者利用该漏洞可以在 root 上下文中执行代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
SoftingedgeAggregator 3.40 -

II. Public POCs for CVE-2023-38125

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-38125

登录查看更多情报信息。

Same Patch Batch · Softing · 2024-05-03 · 9 CVEs total

CVE-2023-39480Softing Secure Integration Server FileDirectory OPC UA Object Arbitrary File Creation Vuln
CVE-2023-39481Softing Secure Integration Server Interpretation Conflict Remote Code Execution Vulnerabil
CVE-2023-39482Softing Secure Integration Server Hardcoded Cryptographic Key Information Disclosure Vulne
CVE-2023-39479Softing Secure Integration Server OPC UA Gateway Directory Creation Vulnerability
CVE-2023-39478Softing Secure Integration Server Exposure of Resource to Wrong Sphere Remote Code Executi
CVE-2023-27334Softing edgeConnector Siemens ConditionRefresh Resource Exhaustion Denial-of-Service Vulne
CVE-2023-27336Softing edgeConnector Siemens OPC UA Server Null Pointer Dereference Denial-of-Service Vul
CVE-2023-27335Softing edgeAggregator Client Cross-Site Scripting Remote Code Execution Vulnerability

IV. Related Vulnerabilities

Same product: edgeAggregator
Same vendor: Softing
Same weakness: CWE-942

V. Comments for CVE-2023-38125

No comments yet

Leave a comment