CVE-2023-24217
Published: 06 March 2023
Summary
CVE-2023-24217 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Agilebio Electronic Lab Notebook. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 10.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
AgileBio Electronic Lab Notebook version 4.234 contains a local file inclusion vulnerability tracked as CVE-2023-24217. The flaw is assigned CWE-98 and carries a CVSS 3.1 base score of 8.8, reflecting network attack vector, low complexity, and low privileges required for exploitation. The affected component is the Electronic Lab Notebook add-on within the LabCollector LIMS platform.
An authenticated remote attacker can supply crafted input to force inclusion of arbitrary local files. Successful exploitation grants read access to sensitive system files and, when combined with writable locations or server-side script execution, can lead to full remote code execution, resulting in complete compromise of confidentiality, integrity, and availability on the host.
Public exploit code demonstrating remote code execution against version 4.234 has been posted to Packet Storm. The associated EPSS score remains low, reaching a peak of only 0.0619 before receding to the current value of 0.0494, indicating limited observed exploitation interest since disclosure. No vendor advisory or patch information appears in the referenced sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-28276
Vulnerability details
AgileBio Electronic Lab Notebook v4.234 was discovered to contain a local file inclusion vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.