← back
CVE-2023-29492

CVE-2023-29492

CVSS 9.8 CRITICALEPSS 2.7%● KEVCWE-94
In short

Novi Survey versions before 8.9.43676 allow attackers to run malicious code on the server without needing special access. This compromises the server itself, though survey data remains protected.

Technical detail

Remote code execution vulnerability in Novi Survey < 8.9.43676 exploitable without authentication, executing arbitrary commands in the service account context. The vulnerability stems from insufficient input validation (CWE-94: Improper Control of Generation of Code), allowing unauthenticated attackers to achieve full server compromise, though the vulnerability does not extend to unauthorized access of survey responses or stored data.

Summary generated and translated by AI from the official description.
Novi Survey before 8.9.43676 allows remote attackers to execute arbitrary code on the server in the context of the service account. This does not provide access to stored survey or response data.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://novisurvey.net/blog/novi-survey-security-advisory-apr-2023.aspxhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-29492