cbcvebase.
CVE-2023-42222
published 2023-09-28

CVE-2023-42222: WebCatalog before 49.0 is vulnerable to Incorrect Access Control. WebCatalog calls the Electron shell.openExternal function without verifying that the URL is…

PriorityP353high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
1.42%
69.5th percentile
WebCatalog before 49.0 is vulnerable to Incorrect Access Control. WebCatalog calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource, in some circumstances.

Affected

1 ranges
VendorProductVersion rangeFixed in
webcatalogwebcatalog< 49.049.0

Detection & IOCsextracted from sources · hover to see the quote

urlsearch-ms://query=&crumb=location\\\&displayname=Spoofed%20Windows%20Title
  • Detect use of the 'search-ms://' URI scheme being passed to Electron's shell.openExternal, which is the attack vector for this CVE. Monitor for search-ms:// protocol handler invocations spawned from WebCatalog process context.
  • Monitor for SMB connections (outbound to port 445) originating from the WebCatalog process, which may indicate exploitation via a UNC path embedded in a search-ms:// payload used to deliver a malicious file from an attacker-controlled SMB share.
  • Alert on WebCatalog (version < 49.0) spawning child processes or invoking non-http/https URI protocol handlers (e.g., search-ms://, file://, etc.), as this indicates abuse of the unvalidated shell.openExternal call.
  • Look for markdown-style anchor tags with search-ms:// or other non-http(s) URIs in synced WebCatalog page content, as the exploit is delivered via a renamed/friendly link.
  • ·The NVD advisory states the fix is in version 49.0, but the exploit document contradicts this, stating the vulnerability exists before version 48.8. Verify the actual patched version with the vendor before using version checks as a detection/remediation signal.
  • ·Exploitation requires user interaction — the victim must click the malicious link after syncing a page containing it. Pure passive network detections will miss the initial delivery stage.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.