CVE-2023-28347

Name of the Vulnerable Software and Affected Versions Faronics Insight version 10.0.19045

Description The issue is related to the Teacher Console component of the Faronics Insight platform, which fails to protect the web page structure when handling the loggedInUser field. This can be exploited by a remote attacker to perform cross-site scripting attacks. An attacker can create a proof-of-concept script that mimics a Student Console, allowing unauthenticated attackers to exploit XSS vulnerabilities within the Teacher Console application. This can lead to remote code execution as NT AUTHORITY/SYSTEM on all connected Student Consoles and the Teacher Console in a Zero Click manner.

Recommendations For Faronics Insight version 10.0.19045, consider disabling the Teacher Console component until a patch is available to prevent exploitation of the XSS vulnerability. Restrict access to the Teacher Console application to minimize the risk of remote code execution. Avoid using the loggedInUser field in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.