CVE-2023-3643
Published: 12 July 2023
Summary
CVE-2023-3643 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Carel Boss Mini Firmware. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-3643 is a critical file inclusion vulnerability in Boss Mini version 1.4.0 Build 6221. It resides in an unspecified portion of the boss/servlet/document file, where unsanitized input to the path argument allows an attacker to include arbitrary files on the server.
The flaw can be triggered remotely by unauthenticated attackers without user interaction. Successful exploitation grants limited read, write, and impact capabilities on the affected system, consistent with the CVSS 7.3 rating under CWE-73.
Public references, primarily Vuldb entries and an associated proof-of-concept disclosure, contain no vendor patch or mitigation guidance. The EPSS score reached a peak of 0.4755 and currently stands at 0.3630, indicating moderate and sustained exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-44287
Vulnerability details
A vulnerability was found in Boss Mini 1.4.0 Build 6221. It has been classified as critical. This affects an unknown part of the file boss/servlet/document. The manipulation of the argument path leads to file inclusion. It is possible to initiate…
more
the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-233889 was assigned to this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Rejects externally supplied file or resource identifiers that fail validity checks.