PT-2023-26742 · Wix · Wix-Embedded-Mysql

Published

2023-07-28

Updated

2023-08-03

CVE-2023-39021

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions wix-embedded-mysql versions 4.6.1 and below wix-embedded-mysql versions 4.6.2 and below

Since both versions are essentially the same in terms of vulnerability, we can consolidate them into a single line for clarity: wix-embedded-mysql versions 4.6.2 and below

Description The issue is related to a code injection vulnerability in the component com.wix.mysql.distribution.Setup.apply. This vulnerability is exploited via passing an unchecked argument to the apply function.

Recommendations For wix-embedded-mysql versions 4.6.2 and below, consider disabling the com.wix.mysql.distribution.Setup.apply component until a patch is available. Restrict access to the apply function in the com.wix.mysql.distribution.Setup component to minimize the risk of exploitation. Avoid passing unchecked arguments to the apply function until the issue is resolved.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2023-39021

GHSA-FX3V-4W3W-WPWR

Affected Products

Wix-Embedded-Mysql

PT-2023-26742 · Wix · Wix-Embedded-Mysql

CVE-2023-39021

Weakness Enumeration

Related Identifiers

Affected Products

References · 5