CVE-2023-33405
Published: 21 June 2023
Summary
CVE-2023-33405 is a medium-severity Open Redirect (CWE-601) vulnerability in Blogengine Blogengine.Net. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-33405 is an open redirect vulnerability, tracked as CWE-601, that affects Blogengine.net versions 3.3.8.0 and earlier. It received a CVSS v3.1 base score of 6.1 reflecting a network vector that requires no privileges but does require user interaction and produces a changed scope with limited confidentiality and integrity impact.
An unauthenticated attacker can supply a crafted URL that causes the application to redirect a victim to an arbitrary external destination. Successful exploitation can therefore be used to facilitate phishing or other social-engineering attacks that leverage the trust relationship between the user and the Blogengine.net site.
The associated EPSS score has remained essentially flat near 0.57 with a recorded peak of 0.5767, indicating no material post-disclosure increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37568
Vulnerability details
Blogengine.net 3.3.8.0 and earlier is vulnerable to Open Redirect.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.