Votes:
What is the status of CVE-2023-31448, CVE-2023-31449, CVE-2023-31450, CVE-2023-31452, CVE-2023-32781, and CVE-2023-32782? Do I need to do anything?
Created on Jun 27, 2023 10:16:12 AM by
Last change on Jun 27, 2023 10:45:02 AM by
1 Reply
Votes:
This applies as of PRTG 23.2.86
As of PRTG 23.2.86, multiple vulnerabilities were addressed. We fixed a path traversal vulnerability that affected the WMI Custom, MySQLv2, and the HL7 sensors. We also fixed a vulnerability that made it possible to bypass the CSRF protection by executing certain HTTP calls. Finally, we fixed a vulnerability present in DICOM sensors and the HL7 sensor that potentially allowed a PRTG user with write permissions to use a debug parameter to create an executable file on the local system.
A penetration tester brought several possible vulnerabilities to our attention. We fixed a path traversal vulnerability where the WMI Custom, MySQLv2 and the HL7 sensors could be created by an authenticated user with unintended paths to WMI, SQL or HL7 files on the host system and possibly execute arbitrary actions.
For more information on the vulnerabilities, see CVE-2023-31448, CVE-2023-31449, and CVE-2023-31450.
We fixed a vulnerability where it was possible to bypass the CSRF protection by executing HTTP calls on several endpoints via a GET request.
For more information on the vulnerability, see CVE-2023-31452.
We fixed a vulnerability where a PRTG user with write permissions could trick a few sensors into creating possibly executable files on the host system by defining a debug parameter during the creation of DICOM sensors and the HL7 sensor.
For more information on the vulnerabilities, see CVE-2023-32781 and CVE-2023-32782.
We recommend that you always update to the latest version of PRTG via the Auto-Update feature to maintain the highest level of security.
Created on Jun 27, 2023 10:32:27 AM by
Last change on Jun 27, 2023 11:08:49 AM by
Add comment