cbcvebase.
CVE-2023-5830
published 2023-10-27

CVE-2023-5830: A vulnerability classified as critical has been found in ColumbiaSoft Document Locator. This affects an unknown part of the file /api/authentication/login of…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
61.04%
99.0th percentile
A vulnerability classified as critical has been found in ColumbiaSoft Document Locator. This affects an unknown part of the file /api/authentication/login of the component WebTools. The manipulation of the argument Server leads to improper authentication. It is possible to initiate the attack remotely. Upgrading to version 7.2 SP4 and 2021.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-243729 was assigned to this vulnerability.

Affected

4 ranges
VendorProductVersion rangeFixed in
columbiasoftdocument_locator
documentlocatordocument_locator< 7.27.2
documentlocatordocument_locator
documentlocatordocument_locator

Detection & IOCsextracted from sources · hover to see the quote

url/api/authentication/login
sigma
Detection: POST to /api/authentication/login with Content-Type: application/json;charset=UTF-8 and body containing '"Server"' pointing to external host, response body containing '"Authorized":false'
  • Exploit targets the 'Server' parameter in the JSON POST body of /api/authentication/login; attacker sets 'Server' to an external/attacker-controlled host to trigger SSRF/OOB DNS interaction.
  • Vulnerable instances can be fingerprinted via Shodan/FOFA/Google using the page title 'Document Locator - WebTools'.
  • A successful exploitation attempt (even unauthenticated) returns a JSON response body containing '"Authorized":false', confirming the endpoint was reached and the Server parameter was processed.
  • The attack is unauthenticated (PR:N), remote (AV:N), and requires no user interaction (UI:N); monitor for unexpected outbound DNS/HTTP requests originating from the Document Locator server after POST requests to /api/authentication/login.
  • ·The Nuclei template uses a 20-second timeout for the request, indicating the SSRF/DNS callback may be slow or delayed; detection logic should account for asynchronous OOB DNS callbacks rather than inline response inspection alone.
  • ·Exploitation is confirmed via out-of-band DNS interaction (interactsh), meaning network-level egress monitoring for unexpected DNS lookups from the Document Locator host is required for reliable detection.
  • ·Affected versions are prior to 7.2 SP4 and 2021.1; patched versions are 7.2 SP4 and 2021.1.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.