Cyber Resilience

CVE-2023-43323

MediumPublic PoC

Published: 28 September 2023

Published
28 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.8087 99.2th percentile
Risk Priority 62 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-43323 is a medium-severity External Control of System or Configuration Setting (CWE-15) vulnerability in Moosocial Moosocial. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

mooSocial version 3.1.8 contains an external service interaction vulnerability in its post functionality. The affected parameters include messageText, data[wall_photo], data[userShareVideo], and data[userShareLink]. When these fields are supplied with attacker-controlled values, the application causes the server to issue HTTP and DNS requests to external systems. The issue is tracked as CVE-2023-43323 with a CVSS 3.1 base score of 6.5 and is associated with CWE-15.

Remote attackers can exploit the flaw without authentication or user interaction by submitting crafted post requests. Successful exploitation allows the server to be coerced into interacting with arbitrary external endpoints, resulting in limited disclosure of internal network information and limited integrity impact on the affected installation.

Public proof-of-concept material is available in repositories linked to the CVE. The current EPSS score of 0.8087 matches the recorded peak, indicating sustained exploitation interest since disclosure. No vendor advisory or patch information is referenced in the available sources.

EU & UK References

Vulnerability details

mooSocial 3.1.8 is vulnerable to external service interaction on post function. When executed, the server sends a HTTP and DNS request to external server. The Parameters effected are multiple - messageText, data[wall_photo], data[userShareVideo] and data[userShareLink].

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

moosocial
moosocial
3.1.8

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-15

The policy and procedures establish internal controls and change management for system configuration settings, reducing the feasibility of external unauthorized modifications.

addresses: CWE-15

Baseline configuration under change control directly prevents unauthorized external modification of system or configuration settings.

addresses: CWE-15

Requires approval, documentation, and security impact review of all configuration changes, directly preventing unauthorized external control of system settings.

addresses: CWE-15

Impact analysis of configuration changes reduces the risk of deploying settings that permit unauthorized external control.

addresses: CWE-15

Restricting changes to system and configuration settings prevents external entities from controlling those settings without approval.

addresses: CWE-15

Establishing, implementing, approving deviations from, and monitoring configuration settings directly prevents external or unauthorized control of system settings.

addresses: CWE-15

The plan defines processes for identifying and managing configuration items, preventing external unauthorized control of system settings.

addresses: CWE-15

Vulnerability scanners directly detect externally controllable or misconfigured settings using standardized checklists.

References