WARNING: CRITICAL OPENSUPPORTS VULNERABILITY ALLOWS ARBITRARY CODE EXECUTION AND REVERSE SHELL, NO PATCH AVAILABLE!
CVE-2023-48031
CVSS 3.1: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Risks
A proof of concept exploit exists for a critical vulnerability (CVE-2023-48031) in OpenSupports v4.11.0, allowing an attacker to bypass security restrictions by uploading a crafted file with a modified file signature (magic bytes) to pass as an acceptable file type. A succesful attack could enable the adversary to execute arbitrary code or establish a reverse shell.
Compromise could have high impact on confidentiality, integrity and availability.
OpenSupports is a free open source ticket system available on the official OpenSupports GitHub. The repository doesn't offer a remediation for CVE-2023-48031. Version v4.11.0 dates back to January 2022 and hasn't been updated since.
Description
CVE-2023-48031 allows an attacker to execute arbitrary code or establish a reverse shell leading to possible control over a victim's infrastructure.
Recommended Actions
The Centre for Cyber Security Belgium (CCB) strongly recommends to install alternative software or find mitigation alternatives.