CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2023-7102 – Remote Code Execution (RCE) Vulnerability
https://notcve.org/view.php?id=CVE-2023-7102
Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. Barracuda ESG Appliance which allowed Parameter Injection.This issue affected Barracuda ESG Appliance, from 5.1.3.001 through 9.2.1.001, until Barracuda removed the vulnerable logic. El uso de una librería de terceros produjo una vulnerabilidad en el dispositivo Barracuda ESG de Barracuda Networks Inc. que permitía la inyección de parámetros. Este problema afectó al dispositivo Barracuda ESG, desde la versión 5.1.3.001 hasta la 9.2.1.001, hasta que Barracuda eliminó la lógica vulnerable. • https://github.com/haile01/perl_spreadsheet_excel_rce_poc https://github.com/jmcnamara/spreadsheet-parseexcel/blob/c7298592e102a375d43150cd002feed806557c15/lib/Spreadsheet/ParseExcel/Utility.pm#L171 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2023/MNDT-2023-0019.md https://metacpan.org/dist/Spreadsheet-ParseExcel https://www.barracuda.com/company/legal/esg-vulnerability https://www.cve.org/CVERecord?id=CVE-2023-7101 • CWE-1104: Use of Unmaintained Third Party Components •
CVSS: 9.8EPSS: 4%CPEs: 10EXPL: 1CVE-2023-2868 – Barracuda Networks ESG Appliance Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2023-2868
A remote command injection vulnerability exists in the Barracuda Email Security Gateway (appliance form factor only) product effecting versions 5.1.3.001-9.2.0.006. The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). The vulnerability stems from incomplete input validation of a user-supplied .tar file as it pertains to the names of the files contained within the archive. As a consequence, a remote attacker can specifically format these file names in a particular manner that will result in remotely executing a system command through Perl's qx operator with the privileges of the Email Security Gateway product. This issue was fixed as part of BNSF-36456 patch. • https://github.com/krmxd/CVE-2023-2868 https://status.barracuda.com/incidents/34kx82j5n4q9 https://www.barracuda.com/company/legal/esg-vulnerability • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •