Squidex
CVE-2023-46253
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Squidex is an open source headless CMS and content management hub. Affected versions are subject to an arbitrary file write vulnerability in the backup restore feature which allows an authenticated attacker to gain remote code execution (RCE). Squidex allows users with the squidex.admin.restore permission to create and restore backups. Part of these backups are the assets uploaded to an App. For each asset, the backup zip archive contains a .asset file with the actual content of the asset as well as a related AssetCreatedEventV2 event, which is stored in a JSON file. Amongst other things, the JSON file contains the event type (AssetCreatedEventV2), the ID of the asset (46c05041-9588-4179-b5eb-ddfcd9463e1e), its filename (test.txt), and its file version (0). When a backup with this event is restored, the BackupAssets.ReadAssetAsync method is responsible for re-creating the asset. For this purpose, it determines the name of the .asset file in the zip archive, reads its content, and stores the content in the filestore. When the asset is stored in the filestore via the UploadAsync method, the assetId and fileVersion are passed as arguments. These are further passed to the method GetFileName, which determines the filename where the asset should be stored. The assetId is inserted into the filename without any sanitization and an attacker with squidex.admin.restore privileges to run arbitrary operating system commands on the underlying server (RCE).
AnalysisAI
Squidex is an open source headless CMS and content management hub. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Squidex is an open source headless CMS and content management hub. Affected versions are subject to an arbitrary file write vulnerability in the backup restore feature which allows an authenticated attacker to gain remote code execution (RCE). Squidex allows users with the squidex.admin.restore permission to create and restore backups. Part of these backups are the assets uploaded to an App. For each asset, the backup zip archive contains a .asset file with the actual content of the asset as well as a related AssetCreatedEventV2 event, which is stored in a JSON file. Amongst other things, the JSON file contains the event type (AssetCreatedEventV2), the ID of the asset (46c05041-9588-4179-b5eb-ddfcd9463e1e), its filename (test.txt), and its file version (0). When a backup with this event is restored, the BackupAssets.ReadAssetAsync method is responsible for re-creating the asset. For this purpose, it determines the name of the .asset file in the zip archive, reads its content, and stores the content in the filestore. When the asset is stored in the filestore via the UploadAsync method, the assetId and fileVersion are passed as arguments. These are further passed to the method GetFileName, which determines the filename where the asset should be stored. The assetId is inserted into the filename without any sanitization and an attacker with squidex.admin.restore privileges to run arbitrary operating system commands on the underlying server (RCE). Affected products include: Squidex.Io Squidex.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.
Server-Side Request Forgery (SSRF) vulnerability in Squidex CMS webhook configuration allows authenticated administrator
Cross-Site Request Forgery (CSRF) in GitHub repository squidex/squidex prior to 7.4.0. Rated medium severity (CVSS 6.5),
Squidex is an open source headless CMS and content management hub. Rated medium severity (CVSS 6.1), this vulnerability
Squidex before 7.4.0 was discovered to contain a squid.svg cross-site scripting (XSS) vulnerability. Rated medium severi
Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0. Rated medium severi
Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. Rated medium severity (CVSS 5.4), this
Squidex is an open source headless CMS and content management hub. Rated medium severity (CVSS 5.4), this vulnerability
Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0. Rated medium severi
Server-Side Request Forgery in Squidex versions prior to 7.23.0 allows authenticated users with asset upload permissions
Server-Side Request Forgery (SSRF) in Squidex versions before 7.23.0 allows authenticated users with schema editing perm
Server-Side Request Forgery in Squidex's backup restoration endpoint allows authenticated administrators to probe intern
Blind Server-Side Request Forgery (SSRF) in Squidex prior to version 7.23.0 allows authenticated administrators to force
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today