CVE-2023-6849

Summary

A vulnerability was found in kalcaddle kodbox up to 1.48. It has been rated as critical. Affected by this issue is the function cover of the file plugins/fileThumb/app.php. The manipulation of the argument path leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.48.04 is able to address this issue. The patch is identified as 63a4d5708d210f119c24afd941d01a943e25334c. It is recommended to upgrade the affected component. VDB-248210 is the identifier assigned to this vulnerability.

Affected Software

VendorProductVersion RangeStatus
kalcaddlekodbox1.0affected
kalcaddlekodbox1.1affected
kalcaddlekodbox1.2affected
kalcaddlekodbox1.3affected
kalcaddlekodbox1.4affected
kalcaddlekodbox1.5affected
kalcaddlekodbox1.6affected
kalcaddlekodbox1.7affected
kalcaddlekodbox1.8affected
kalcaddlekodbox1.9affected
kalcaddlekodbox1.10affected
kalcaddlekodbox1.11affected
kalcaddlekodbox1.12affected
kalcaddlekodbox1.13affected
kalcaddlekodbox1.14affected
kalcaddlekodbox1.15affected
kalcaddlekodbox1.16affected
kalcaddlekodbox1.17affected
kalcaddlekodbox1.18affected
kalcaddlekodbox1.19affected
kalcaddlekodbox1.20affected
kalcaddlekodbox1.21affected
kalcaddlekodbox1.22affected
kalcaddlekodbox1.23affected
kalcaddlekodbox1.24affected
kalcaddlekodbox1.25affected
kalcaddlekodbox1.26affected
kalcaddlekodbox1.27affected
kalcaddlekodbox1.28affected
kalcaddlekodbox1.29affected
kalcaddlekodbox1.30affected
kalcaddlekodbox1.31affected
kalcaddlekodbox1.32affected
kalcaddlekodbox1.33affected
kalcaddlekodbox1.34affected
kalcaddlekodbox1.35affected
kalcaddlekodbox1.36affected
kalcaddlekodbox1.37affected
kalcaddlekodbox1.38affected
kalcaddlekodbox1.39affected
kalcaddlekodbox1.40affected
kalcaddlekodbox1.41affected
kalcaddlekodbox1.42affected
kalcaddlekodbox1.43affected
kalcaddlekodbox1.44affected
kalcaddlekodbox1.45affected
kalcaddlekodbox1.46affected
kalcaddlekodbox1.47affected
kalcaddlekodbox1.48affected

Weaknesses

  • CWE-918: CWE-918 Server-Side Request Forgery

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References