Cyber Resilience

CVE-2023-28347

CriticalPublic PoC

Published: 31 May 2023

Published
31 May 2023
Modified
13 January 2025
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0921 92.9th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28347 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Faronics Insight. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-28347 affects Faronics Insight version 10.0.19045 on Windows. The flaw permits an attacker to build a proof-of-concept script that emulates a Student Console, thereby exploiting cross-site scripting weaknesses (CWE-79) present in the Teacher Console application and enabling unauthenticated remote code execution.

An unauthenticated attacker can leverage the crafted script to obtain code execution as NT AUTHORITY/SYSTEM on the Teacher Console and every connected Student Console. The attack requires no user interaction and completes in a zero-click fashion over the network, corresponding to the CVSS 9.6 rating.

Public technical advisories published by NCC Group detail the multiple vulnerabilities discovered in Faronics Insight and provide the research findings at the listed URLs; organizations should consult these resources for patch availability and recommended defensive steps.

EPSS scores have remained low and stable near 0.09 with no material increase after disclosure.

EU & UK References

Vulnerability details

An issue was discovered in Faronics Insight 10.0.19045 on Windows. It is possible for an attacker to create a proof-of-concept script that functions similarly to a Student Console, providing unauthenticated attackers with the ability to exploit XSS vulnerabilities within the…

more

Teacher Console application and achieve remote code execution as NT AUTHORITY/SYSTEM on all connected Student Consoles and the Teacher Console in a Zero Click manner.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

faronics
insight
10.0.19045

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References