CRITICAL🇵🇱 Wersja polska

CVE-2023-46808

CVSS 9.9v3.1pub. 2024-03-31upd. 2024-11-21

An file upload vulnerability in Ivanti ITSM before 2023.4, allows an authenticated remote user to perform file writes to the server. Successful exploitation may lead to execution of commands in the context of non-root user.

🤖 AI Analysis
How it works

The Ivanti Neurons for ITSM application does not sufficiently verify uploaded files (CWE-434 — unrestricted upload of file with dangerous type), which allows an authenticated user to upload a file with arbitrary content and save it in a selected location on the server. An attacker can thus place a malicious executable file or script in an accessible server directory. By subsequently invoking the uploaded file, they can execute arbitrary system commands.

Impact

An attacker can execute commands on the server in the context of a non-root account, which may lead to application takeover, data theft, or lateral movement in the network.

Mitigation & patch

Ivanti Neurons for ITSM should be updated to version 2023.4 or newer. Detailed information is available in the official Ivanti security bulletin at the address indicated in the references.

Who is affected

Ivanti Neurons for ITSM in versions earlier than 2023.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Ivanti Neurons For Itsm

    APP
    Ivanti
    < 2023.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-22462CRITICAL9.8PL ✓ten sam produkt

Authentication Bypass w Ivanti Neurons for ITSM — dostęp administracyjny bez uwierzytelnienia

CVE-2024-7569CRITICAL9.6PL ✓ten sam produkt

Ujawnienie OIDC client secret w Ivanti Neurons for ITSM przez debug info

CVE-2024-7570HIGH8.3ten sam produkt

Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows...

CVE-2024-22059HIGH8.8ten sam produkt

A SQL injection vulnerability in web component of Ivanti Neurons for ITSM allows a remote authenticated user t...

CVE-2024-22060MEDIUM4.9ten sam produkt

An unrestricted file upload vulnerability in web component of Ivanti Neurons for ITSM allows a remote, authent...