CVE-2023-42222
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
28/09/2023
Last modified:
02/02/2024
Description
WebCatalog before 49.0 is vulnerable to Incorrect Access Control. WebCatalog calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource, in some circumstances.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:webcatalog:webcatalog:*:*:*:*:*:*:*:* | 49.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/176957/WebCatalog-48.4-Arbitrary-Protocol-Execution-Code-Execution.html
- https://github.com/itssixtyn3in/CVE-2023-42222
- https://webcatalog.io/changelog/
- https://www.electronjs.org/docs/latest/tutorial/security#15-do-not-use-shellopenexternal-with-untrusted-content