← Back to CVEs
CVE-2023-38335
MEDIUM5.3
Description
Omnis Studio 10.22.00 has incorrect access control. It advertises a feature for making Omnis libraries "always private" - this is supposed to be an irreversible operation. However, due to implementation issues, "always private" Omnis libraries can be opened by the Omnis Studio browser by bypassing specific checks. This violates the expected behavior of an "irreversible operation".
CVE Details
CVSS v3.1 Score5.3
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published7/20/2023
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
omnis:studio
Weaknesses (CWE)
CWE-276
References
http://packetstormsecurity.com/files/173695/Omnis-Studio-10.22.00-Library-Setting-Bypass.html(cve@mitre.org)
http://seclists.org/fulldisclosure/2023/Jul/41(cve@mitre.org)
http://seclists.org/fulldisclosure/2023/Jul/43(cve@mitre.org)
http://packetstormsecurity.com/files/173695/Omnis-Studio-10.22.00-Library-Setting-Bypass.html(af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2023/Jul/41(af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2023/Jul/43(af854a3a-2127-422b-91ae-364da2661108)
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-005.txt(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.