CVE-2023-22855

Name of the Vulnerable Software and Affected Versions Kardex Mlog MCC version 5.7.12+0-a203c2a213-master

Description The issue is related to incorrect code generation management in the Kardex Mlog Control Center (MCC) module. This allows a remote attacker to execute arbitrary code. The software spawns a web interface listening on port 8088. A user-controllable path is handed to a path-concatenation method (Path.Combine from .NET) without proper sanitization, allowing the inclusion of local files and remote files on SMB shares. If a file with the extension .t4 is provided, it is rendered with the .NET templating engine mono/t4, which can execute code.

Recommendations As a temporary workaround, consider disabling the Path.Combine method until a patch is available. Restrict access to the web interface listening on port 8088 to minimize the risk of exploitation. Avoid using files with the extension .t4 in the affected software until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.