CVE-2023-38286 - Remote Code Execution (RCE)

Severity: None2023-10-23

Security Advisories

Abstract

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.

The Oxygen products incorporate Thymeleaf as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Web Author v25.1.0.1 and olderNone Oxygen XML Web Author 26.0.0 build 2023101015
Oxygen Content Fusion v5.1.1 and olderNone Oxygen Content Fusion 6.0 build 2023110109
Oxygen Feedback v3.0.2 and olderNone N/A

Mitigation

None

Detail

CVE-2023-38286

Severity: High

CVSS Score: 7.5

The Thymeleaf third-party library used by Oxygen XML products is an affected version mentioned in CVE-2023-38286 vulnerability description. However, since Oxygen products does not use Spring Boot Admin Server, this vulnerability does not affect Oxygen products.

Starting with Oxygen XML Web Author v26.0.0 build 2023101015 Thymeleaf library was updated to a version which fixes this vulnerability.

List of Security Advisories

Video Tutorials
Upcoming Events
conference
Declarative Amsterdam 2024

Products

Features

Shop

Resources

Support

Company

© 2002-2024 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor