CVE-2023-47261

EUVD-2023-51392
Dokmee ECM 7.4.6 allows remote code execution because the response to a GettingStarted/SaveSQLConnectionAsync /#/gettingstarted request contains a connection string for privileged SQL Server database access, and xp_cmdshell can be enabled.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
Affected Products (NVD)
VendorProductVersion
dokmeeenterprise_content_management
7.4.6
𝑥
= Vulnerable software versions
References
https://h3x0s3.github.io/CVE2023~47261/
https://www.dokmee.com/Support-Learn/Updates-Change-Log
https://h3x0s3.github.io/CVE2023~47261/
https://www.dokmee.com/Support-Learn/Updates-Change-Log