CVE-2023-25262
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
Stimulsoft GmbH Stimulsoft Designer (Web) 2023.1.3 is vulnerable to Server Side Request Forgery (SSRF). TThe Reporting Designer (Web) offers the possibility to embed sources from external locations. If the user chooses an external location, the request to that resource is performed by the server rather than the client. Therefore, the server causes outbound traffic and potentially imports data. An attacker may also leverage this behaviour to exfiltrate data of machines on the internal network of the server hosting the Stimulsoft Reporting Designer (Web).
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-02-06 CVE Reserved
- 2023-03-28 CVE Published
- 2023-05-02 First Exploit
- 2024-12-17 EPSS Updated
- 2025-02-19 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://cloud-trustit.spp.at/s/HjEksN86SfsMaJM | Broken Link |
| URL | Date | SRC |
|---|---|---|
| https://github.com/trustcves/CVE-2023-25262 | 2023-05-02 | |
| https://cves.at/posts/cve-2023-25262/writeup | 2025-02-19 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://stimulsoft.com | 2023-04-03 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Stimulsoft Search vendor "Stimulsoft" | Designer Search vendor "Stimulsoft" for product "Designer" | 2023.1.3 Search vendor "Stimulsoft" for product "Designer" and version "2023.1.3" | web |
Affected
| ||||||
| Stimulsoft Search vendor "Stimulsoft" | Designer Search vendor "Stimulsoft" for product "Designer" | 2023.1.4 Search vendor "Stimulsoft" for product "Designer" and version "2023.1.4" | web |
Affected
| ||||||