CVE-2023-49213

The API endpoints in Ironman PowerShell Universal 3.0.0 through 4.2.0 allow remote attackers to execute arbitrary commands via crafted HTTP requests if a param block is used, due to invalid sanitization of input strings. The fixed versions are 3.10.2, 4.1.10, and 4.2.1.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 80%
VendorProductVersion
ironmansoftwarepowershell_universal
3.0.0 ≤
𝑥
< 3.10.2
ironmansoftwarepowershell_universal
4.1.0 ≤
𝑥
< 4.1.10
ironmansoftwarepowershell_universal
4.2.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://blog.ironmansoftware.com/powershell-universal-apis-cve/
https://docs.powershelluniversal.com/changelogs/changelog
https://blog.ironmansoftware.com/powershell-universal-apis-cve/
https://docs.powershelluniversal.com/changelogs/changelog