CVE-2023-6065
Published: 18 December 2023
Summary
CVE-2023-6065 is a medium-severity an unspecified weakness vulnerability in Quttera Quttera Web Malware Scanner. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2023-6065 is an information disclosure flaw in the Quttera Web Malware Scanner WordPress plugin before version 3.4.2.1. The plugin fails to restrict access to detailed scan logs, which can expose local file paths and portions of the site's source code. It carries a CVSS 3.1 base score of 5.3 under the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
Unauthenticated remote attackers can exploit the issue over the network by directly accessing the unprotected logs, allowing them to map internal directory structures and inspect code fragments without authentication or user interaction.
References hosted on WPScan and related repositories describe the vulnerability and point to the patched release 3.4.2.1 as the corrective version. The associated EPSS values show a current score of 0.3753 against a recorded peak of 0.4007.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-58322
Vulnerability details
The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site's code
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.