Strix
26.1K

CVE-2023-26261

CRITICALCVSS 9.8/10EPSS 0.84%

Last modified

CVE-2023-26261 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. In UBIKA WAAP Gateway/Cloud through 6.10, a blind XPath injection leads to an authentication bypass by stealing the session of another connected user. The fixed versions are WAAP Gateway & Cloud 6.11.0 and 6.5.6-patch15.. EPSS estimates a 0.84% chance of exploitation in the next 30 days.

Description

In UBIKA WAAP Gateway/Cloud through 6.10, a blind XPath injection leads to an authentication bypass by stealing the session of another connected user. The fixed versions are WAAP Gateway & Cloud 6.11.0 and 6.5.6-patch15.

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.84%

53.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
UbikasecWaap Cloud< 6.11.0
UbikasecWaap Gateway< 6.11.0
UbikasecWaap Cloud< 6.5.6
UbikasecWaap Cloud6.5.6
UbikasecWaap Gateway< 6.5.6
UbikasecWaap Gateway6.5.6

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-26261?
In UBIKA WAAP Gateway/Cloud through 6.10, a blind XPath injection leads to an authentication bypass by stealing the session of another connected user. The fixed versions are WAAP Gateway & Cloud 6.11.0 and 6.5.6-patch15.
How severe is CVE-2023-26261?
CVE-2023-26261 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 0.84% probability of exploitation in the next 30 days.
How do I fix CVE-2023-26261?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-26261?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST