HIGHπŸ‡΅πŸ‡± Wersja polska

CVE-2023-1306

CVSS 8.8v3.1pub. 2023-03-21upd. 2025-02-26

An authenticated attacker can leverage an exposed resource.db() accessor method to smuggle Python method calls via a Jinja template, which can lead to code execution. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Rapid7 Insightappsec

    APP
    Rapid7
    < 23.2.1
  • Rapid7 Insightcloudsec

    APP
    Rapid7
    < 2023.02.01
πŸ”΅
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2023-1304HIGH8.8ten sam produkt

An authenticated attacker can leverage an exposed getattr() method via a Jinja template to smuggle OS commands...

CVE-2023-1305HIGH8.1ten sam produkt

An authenticated attacker can leverage an exposed β€œbox” object to read and write arbitrary files from disk, pr...

CVE-2019-5631HIGH7.8ten sam produkt

The Rapid7 InsightAppSec broker suffers from a DLL injection vulnerability in the 'prunsrv.exe' component of t...

CVE-2026-8592HIGH7.7ten sam vendor

OS Command Injection vulnerability in the process_string action of Rapid7 InsightConnect AWK Plugin on Linux a...

CVE-2026-8660HIGH7.7ten sam vendor

OS Command Injection vulnerability in the ping action of Rapid7 InsightConnect Ping Plugin on Linux allows rem...

CVE-2023-1306 β€” Rapid7 β€” Insightappsec β€” HIGH β€” CVSS 8.8 | CVEbaza.pl