CVE-2023-37635
Published: 23 October 2023
Summary
CVE-2023-37635 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Uvdesk Community-Skeleton. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
UVDesk Community Skeleton version 1.1.1 contains a vulnerability that permits unauthenticated brute-force attacks against its login page, classified under CWE-307. The flaw affects the web application's authentication mechanism and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.
Unauthenticated remote attackers can repeatedly submit login attempts without rate limiting or account lockout controls, enabling them to guess valid credentials and obtain unauthorized access to the application and its data.
Public references at https://www.esecforte.com/cve-2023-37635-login-bruteforce/ describe the issue but do not detail specific patches or configuration changes. The associated EPSS score has remained low and stable, with a current value of 0.0823 and a peak of 0.0878.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-41516
Vulnerability details
UVDesk Community Skeleton v1.1.1 allows unauthenticated attackers to perform brute force attacks on the login page to gain access to the application.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.
Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.