CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2023-1306

An authenticated attacker can leverage an exposed resource.db() accessor method to smuggle Python method calls via a Jinja template, which can lead to code execution. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.003

EPSS Ranking 48.5%

CVSS Severity

CVSS v3 Score 8.8

References

https://docs.divvycloud.com/changelog/23321-release-notes
https://nephosec.com/exploiting-rapid7s-insightcloudsec/
https://docs.divvycloud.com/changelog/23321-release-notes
https://nephosec.com/exploiting-rapid7s-insightcloudsec/

Products affected by CVE-2023-1306

Rapid7 » Insightappsec » Version: Any

cpe:2.3:a:rapid7:insightappsec:*
Rapid7 » Insightcloudsec » Version: Any

cpe:2.3:a:rapid7:insightcloudsec:*

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2023-1306

Products

Pricing

Contact Us