JVN#19661362
Multiple vulnerabilities in Proself
Critical

Overview

Proself provided by North Grid Corporation contains multiple vulnerabilities.

Products Affected

• Proself Enterprise/Standard Edition Ver5.61 and earlier
• Proself Gateway Edition Ver1.62 and earlier
• Proself Mail Sanitize Edition Ver1.07 and earlier

Description

Proself provided by North Grid Corporation is an online storage server software. Proself contains multiple vulnerabilities listed below.

• Improper authentication (CWE-287) - CVE-2023-39415

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	Base Score: 7.5
  CVSS v2	AV:N/AC:L/Au:N/C:P/I:N/A:N	Base Score: 5.0

• OS command injection (CWE-78) - CVE-2023-39416

  CVSS v3	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	Base Score: 7.2
  CVSS v2	AV:N/AC:L/Au:S/C:P/I:P/A:P	Base Score: 6.5

Impact

• A remote unauthenticated attacker may log in to the product's Control Panel and perform an unintended operation - CVE-2023-39415
• An arbitrary OS command may be executed by an attacker who can log in to the product with an administrative privilege - CVE-2023-39416

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

Apply the workaround
Until the software is updated, the following workaround are recommended to mitigate the impact of the vulnerabilities.

• Delete the following two files under "Proself install folder/webapps/proself/WEB-INF/xml/process/external/admin"
  • downloadhistory.xml
  • setclustermyid.xml