Cyber Resilience

CVE-2023-37635

CriticalPublic PoC

Published: 23 October 2023

Published
23 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0823 92.4th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37635 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Uvdesk Community-Skeleton. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

UVDesk Community Skeleton version 1.1.1 contains a vulnerability that permits unauthenticated brute-force attacks against its login page, classified under CWE-307. The flaw affects the web application's authentication mechanism and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.

Unauthenticated remote attackers can repeatedly submit login attempts without rate limiting or account lockout controls, enabling them to guess valid credentials and obtain unauthorized access to the application and its data.

Public references at https://www.esecforte.com/cve-2023-37635-login-bruteforce/ describe the issue but do not detail specific patches or configuration changes. The associated EPSS score has remained low and stable, with a current value of 0.0823 and a peak of 0.0878.

EU & UK References

Vulnerability details

UVDesk Community Skeleton v1.1.1 allows unauthenticated attackers to perform brute force attacks on the login page to gain access to the application.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

uvdesk
community-skeleton
1.1.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-307

This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.

addresses: CWE-307

Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.

References