Cyber Resilience

CVE-2023-6065

MediumPublic PoC

Published: 18 December 2023

Published
18 December 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.3753 97.3th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6065 is a medium-severity an unspecified weakness vulnerability in Quttera Quttera Web Malware Scanner. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability CVE-2023-6065 is an information disclosure flaw in the Quttera Web Malware Scanner WordPress plugin before version 3.4.2.1. The plugin fails to restrict access to detailed scan logs, which can expose local file paths and portions of the site's source code. It carries a CVSS 3.1 base score of 5.3 under the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Unauthenticated remote attackers can exploit the issue over the network by directly accessing the unprotected logs, allowing them to map internal directory structures and inspect code fragments without authentication or user interaction.

References hosted on WPScan and related repositories describe the vulnerability and point to the patched release 3.4.2.1 as the corrective version. The associated EPSS values show a current score of 0.3753 against a recorded peak of 0.4007.

EU & UK References

Vulnerability details

The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site's code

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

quttera
quttera web malware scanner
≤ 3.4.2.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References