CVE-2023-26098 | Cyber Solutions By Thales

Abstract Advisory Information

The application has a “Open Document” feature that opens the document selected inside the application with the Process.Start function which allows code execution if an executable file is uploaded.

Author: Alexis Pain

Version affected

Name: APSAL

Versions: 3.14.2022.235 b

Common Vulnerability Scoring System

4.6

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Patches

APSAL 2023.0237

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26098″
https://www.telindus.lu/fr/produits/apsal

Vulnerability Disclosure Timeline

1/12/2022: Vulnerability discovery
09/01/2023: Vulnerability Report to CERT-XLM
20/01/2023: Vulnerability Report to Vendor through email
17/02/2023: Vendor contacted again for an update
20/02/2023: CVE number assigned: CVE-2023-26098
24/02/2023: CVE ID communicated to vendor and asked for an update regarding the patch.
03/03/2023: Update asked to vendor
23/03/2023: Update received from vendor, use fix APSAL 2023.0237
24/04/2023: Expected Vulnerability disclosure