CVE-2023-1362
Published: 13 March 2023
Summary
CVE-2023-1362 is a medium-severity Improper Restriction of Rendered UI Layers or Frames (CWE-1021) vulnerability in Bumsys Project Bumsys. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-1362 is an instance of improper restriction of rendered UI layers or frames, tracked as CWE-1021, that affects the unilogies/bumsys repository prior to version 2.0.2. The flaw received a CVSS 3.1 score of 6.1 with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a network-reachable issue that requires user interaction and produces changed scope with limited confidentiality and integrity consequences.
An unauthenticated remote attacker can exploit the vulnerability by framing application pages inside an attacker-controlled site. When a victim interacts with the framed content, the attacker can overlay malicious UI elements to induce unintended actions, resulting in limited disclosure or modification of data within the affected bumsys instance.
Public references point to a fix merged in commit 8c5b27d54707f9805b27ef26ad741f2801e30e1f that resolves the frame-restriction issue; the associated huntr.dev report confirms the patch was accepted and the project was updated to 2.0.2.
The EPSS score reached a peak of 0.6930 after disclosure before settling at the current value of 0.5110, indicating a material rise in exploitation interest that warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-23620
Vulnerability details
Improper Restriction of Rendered UI Layers or Frames in GitHub repository unilogies/bumsys prior to v2.0.2.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.