Cyber Resilience

CVE-2023-1362

MediumPublic PoC

Published: 13 March 2023

Published
13 March 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.5110 97.9th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-1362 is a medium-severity Improper Restriction of Rendered UI Layers or Frames (CWE-1021) vulnerability in Bumsys Project Bumsys. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-1362 is an instance of improper restriction of rendered UI layers or frames, tracked as CWE-1021, that affects the unilogies/bumsys repository prior to version 2.0.2. The flaw received a CVSS 3.1 score of 6.1 with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a network-reachable issue that requires user interaction and produces changed scope with limited confidentiality and integrity consequences.

An unauthenticated remote attacker can exploit the vulnerability by framing application pages inside an attacker-controlled site. When a victim interacts with the framed content, the attacker can overlay malicious UI elements to induce unintended actions, resulting in limited disclosure or modification of data within the affected bumsys instance.

Public references point to a fix merged in commit 8c5b27d54707f9805b27ef26ad741f2801e30e1f that resolves the frame-restriction issue; the associated huntr.dev report confirms the patch was accepted and the project was updated to 2.0.2.

The EPSS score reached a peak of 0.6930 after disclosure before settling at the current value of 0.5110, indicating a material rise in exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

Improper Restriction of Rendered UI Layers or Frames in GitHub repository unilogies/bumsys prior to v2.0.2.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

bumsys project
bumsys
≤ 2.0.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References