Cyber Resilience

CVE-2023-4991

High

Published: 15 September 2023

Published
15 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-4991 is a high-severity Unquoted Search Path or Element (CWE-428) vulnerability in Quescom Nextbx Qwalerter. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Unquoted Path (T1574.009); ranked at the 40.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability was found in NextBX QWAlerter 4.50. It has been rated as critical. Affected by this issue is some unknown functionality of the file QWAlerter.exe. The manipulation leads to unquoted search path. It is possible to launch the attack…

more

on the local host. The identifier of this vulnerability is VDB-239804. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.009 Path Interception by Unquoted Path Stealth
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Why these techniques?

Unquoted search path vulnerability (CWE-428) in QWAlerter.exe allows path interception by placing malicious executable in parent directory, directly enabling T1574.009 as stated in the advisory.

Affected Assets

quescom
nextbx qwalerter
4.50

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References