CVE-2023-27107

Incorrect access control in the runReport function of MyQ Solution Print Server before 8.2 Patch 32 and Central Server before 8.2 Patch 22 allows users who do not have appropriate access rights to generate internal reports using a direct URL.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/smidtbx10/f8ff1c4977b7f54886c6a52e9ef4e816	Exploit Third Party Advisory
https://gist.github.com/smidtbx10/f8ff1c4977b7f54886c6a52e9ef4e816	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:myq-solution:central_server::::::::
	cpe:2.3:a:myq-solution:central_server:8.2:-::::::
	cpe:2.3:a:myq-solution:print_server::::::::
	cpe:2.3:a:myq-solution:print_server:8.2:-::::::

History

21 Nov 2024, 07:52

Type	Values Removed	Values Added
References	~~() https://gist.github.com/smidtbx10/f8ff1c4977b7f54886c6a52e9ef4e816 - Exploit, Third Party Advisory~~	() https://gist.github.com/smidtbx10/f8ff1c4977b7f54886c6a52e9ef4e816 - Exploit, Third Party Advisory

09 May 2023, 17:24

Type	Values Removed	Values Added
First Time		Myq-solution Myq-solution central Server Myq-solution print Server
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CWE		CWE-863
CPE		cpe:2.3:a:myq-solution:print_server:::::::: cpe:2.3:a:myq-solution:central_server:::::::: cpe:2.3:a:myq-solution:print_server:8.2:-:::::: cpe:2.3:a:myq-solution:central_server:8.2:-::::::
References	~~(MISC) https://gist.github.com/smidtbx10/f8ff1c4977b7f54886c6a52e9ef4e816 -~~	(MISC) https://gist.github.com/smidtbx10/f8ff1c4977b7f54886c6a52e9ef4e816 - Exploit, Third Party Advisory

26 Apr 2023, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-04-26 22:15

Updated : 2025-02-03 18:15

NVD link : CVE-2023-27107

Mitre link : CVE-2023-27107

CVE.ORG link : CVE-2023-27107

JSON object : View

Products Affected

myq-solution

print_server
central_server

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2023-27107", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-04-26T22:15:09.443", "references": [{"url": "https://gist.github.com/smidtbx10/f8ff1c4977b7f54886c6a52e9ef4e816", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://gist.github.com/smidtbx10/f8ff1c4977b7f54886c6a52e9ef4e816", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Incorrect access control in the runReport function of MyQ Solution Print Server before 8.2 Patch 32 and Central Server before 8.2 Patch 22 allows users who do not have appropriate access rights to generate internal reports using a direct URL."}], "lastModified": "2025-02-03T18:15:29.030", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:myq-solution:central_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2FDBFB80-D33E-4F9E-847F-8652065CE231", "versionEndExcluding": "8.2"}, {"criteria": "cpe:2.3:a:myq-solution:central_server:8.2:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "38F9E231-EA50-4428-B818-9368F6F99D1B"}, {"criteria": "cpe:2.3:a:myq-solution:print_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A76077FF-885F-4369-A3A9-676BF40AD3E3", "versionEndExcluding": "8.2"}, {"criteria": "cpe:2.3:a:myq-solution:print_server:8.2:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "399B63D2-D03D-4993-817E-987EB3C4C23B"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}