Home > Vulnerability Database > CVE-2023-7273

Mend.io Vulnerability Database

CVE-2023-7273

Date: October 1, 2024

Cross site request forgery in Kiteworks OwnCloud allows an unauthenticated attacker to forge requests. If a request has no Authorization header, it is created with an empty string as value by a rewrite rule. The CSRF check is done by comparing the header value to null, meaning that the existing CSRF check is bypassed in this case. An attacker can, for example, create a new administrator account if the request is executed in the browser of an authenticated victim.

Language: PHP

Severity Score

6.8

Related Resources (4)

Url: https://cirosec.de/sa/sa-2023-012

Url: https://hackerone.com/reports/2041007

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-7273

Url: https://www.mend.io/vulnerability-database/CVE-2023-7273

Severity Score

6.8

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

CVSS v3.1

Base Score:	6.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-7273

Date: October 1, 2024

Language: PHP

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?