Cyber Resilience

CVE-2023-46253

CriticalPublic PoC

Published: 07 November 2023

Published
07 November 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0680 91.5th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-46253 is a critical-severity Path Traversal (CWE-22) vulnerability in Squidex.Io Squidex. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Squidex, an open source headless CMS, contains an arbitrary file write vulnerability in its backup restore feature that affects authenticated users with the squidex.admin.restore permission. The flaw stems from insufficient sanitization of the assetId value supplied in AssetCreatedEventV2 JSON records inside a backup archive; when BackupAssets.ReadAssetAsync processes the corresponding .asset file, the unsanitized identifier is passed through UploadAsync and GetFileName, allowing an attacker-controlled path to be written to the underlying filestore and resulting in CWE-22 path traversal.

An attacker who can create and restore backups can therefore place arbitrary files on the server, including executables or scripts, and thereby achieve remote code execution with the privileges of the Squidex process. The vulnerability carries a CVSS 3.1 score of 9.1 reflecting network-accessible exploitation that requires high privileges but no user interaction and yields full confidentiality, integrity, and availability impact on the affected host.

The issue is documented in the Squidex GitHub Security Advisory GHSA-phqq-8g7v-3pg5. Exploitation probability as measured by EPSS has remained flat at 0.0680 with no material increase after disclosure.

EU & UK References

Vulnerability details

Squidex is an open source headless CMS and content management hub. Affected versions are subject to an arbitrary file write vulnerability in the backup restore feature which allows an authenticated attacker to gain remote code execution (RCE). Squidex allows users…

more

with the `squidex.admin.restore` permission to create and restore backups. Part of these backups are the assets uploaded to an App. For each asset, the backup zip archive contains a `.asset` file with the actual content of the asset as well as a related `AssetCreatedEventV2` event, which is stored in a JSON file. Amongst other things, the JSON file contains the event type (`AssetCreatedEventV2`), the ID of the asset (`46c05041-9588-4179-b5eb-ddfcd9463e1e`), its filename (`test.txt`), and its file version (`0`). When a backup with this event is restored, the `BackupAssets.ReadAssetAsync` method is responsible for re-creating the asset. For this purpose, it determines the name of the `.asset` file in the zip archive, reads its content, and stores the content in the filestore. When the asset is stored in the filestore via the UploadAsync method, the assetId and fileVersion are passed as arguments. These are further passed to the method GetFileName, which determines the filename where the asset should be stored. The assetId is inserted into the filename without any sanitization and an attacker with squidex.admin.restore privileges to run arbitrary operating system commands on the underlying server (RCE).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

squidex.io
squidex
7.8.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References