CVE-2023-5830
published 2023-10-27CVE-2023-5830: A vulnerability classified as critical has been found in ColumbiaSoft Document Locator. This affects an unknown part of the file /api/authentication/login of…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
61.04%
99.0th percentile
A vulnerability classified as critical has been found in ColumbiaSoft Document Locator. This affects an unknown part of the file /api/authentication/login of the component WebTools. The manipulation of the argument Server leads to improper authentication. It is possible to initiate the attack remotely. Upgrading to version 7.2 SP4 and 2021.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-243729 was assigned to this vulnerability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| columbiasoft | document_locator | — | — |
| documentlocator | document_locator | < 7.2 | 7.2 |
| documentlocator | document_locator | — | — |
| documentlocator | document_locator | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
Detection: POST to /api/authentication/login with Content-Type: application/json;charset=UTF-8 and body containing '"Server"' pointing to external host, response body containing '"Authorized":false'
- →Exploit targets the 'Server' parameter in the JSON POST body of /api/authentication/login; attacker sets 'Server' to an external/attacker-controlled host to trigger SSRF/OOB DNS interaction. ↗
- →Vulnerable instances can be fingerprinted via Shodan/FOFA/Google using the page title 'Document Locator - WebTools'.
- →A successful exploitation attempt (even unauthenticated) returns a JSON response body containing '"Authorized":false', confirming the endpoint was reached and the Server parameter was processed.
- →The attack is unauthenticated (PR:N), remote (AV:N), and requires no user interaction (UI:N); monitor for unexpected outbound DNS/HTTP requests originating from the Document Locator server after POST requests to /api/authentication/login.
- ·The Nuclei template uses a 20-second timeout for the request, indicating the SSRF/DNS callback may be slow or delayed; detection logic should account for asynchronous OOB DNS callbacks rather than inline response inspection alone.
- ·Exploitation is confirmed via out-of-band DNS interaction (interactsh), meaning network-level egress monitoring for unexpected DNS lookups from the Document Locator host is required for reliable detection.
- ·Affected versions are prior to 7.2 SP4 and 2021.1; patched versions are 7.2 SP4 and 2021.1.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j89v-wm7x-4434: A vulnerability classified as critical has been found in ColumbiaSoft Document Locator
ghsa_unreviewed·2023-10-27
CVE-2023-5830 [HIGH] CWE-287 GHSA-j89v-wm7x-4434: A vulnerability classified as critical has been found in ColumbiaSoft Document Locator
A vulnerability classified as critical has been found in ColumbiaSoft Document Locator. This affects an unknown part of the file /api/authentication/login of the component WebTools. The manipulation of the argument Server leads to improper authentication. It is possible to initiate the attack remotely. Upgrading to version 7.2 SP4 and 2021.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-243729 was assigned to this vulnerability.
VulnCheck
documentlocator document_locator Improper Authentication
vulncheck·2023·CVSS 7.3
CVE-2023-5830 [HIGH] documentlocator document_locator Improper Authentication
documentlocator document_locator Improper Authentication
A vulnerability classified as critical has been found in ColumbiaSoft Document Locator. This affects an unknown part of the file /api/authentication/login of the component WebTools. The manipulation of the argument Server leads to improper authentication. It is possible to initiate the attack remotely. Upgrading to version 7.2 SP4 and 2021.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-243729 was assigned to this vulnerability.
Affected: documentlocator document_locator
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadows
No detection rules found.
Nuclei
ColumbiaSoft DocumentLocator - Improper Authentication
nuclei·CVSS 9.8
CVE-2023-5830 [CRITICAL] ColumbiaSoft DocumentLocator - Improper Authentication
ColumbiaSoft DocumentLocator - Improper Authentication
Instances of ColumbiaSoft's Document Locator prior to version 7.2 SP4 and 2021.1 are vulnerable to an Improper Authentication/SSRF vulnerability. This template identifies vulnerable instances of the ColumbiaSoft Document Locater application by confirming external DNS interaction/lookups by modifying the value of the client-side SERVER parameter at /api/authentication/login.
Template:
id: CVE-2023-5830
info:
name: ColumbiaSoft DocumentLocator - Improper Authentication
author: Gonski
severity: critical
description: |
Instances of ColumbiaSoft's Document Locator prior to version 7.2 SP4 and 2021.1 are vulnerable to an Improper Authentication/SSRF vulnerability. This template identifies vulnerable instances of the ColumbiaSoft Document
Greynoiseio
New SSRF Exploitation Surge Serves as a Reminder of 2019 Capital One Breach
blogs_greynoiseio·2025-03-11
New SSRF Exploitation Surge Serves as a Reminder of 2019 Capital One Breach
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2023-10-27
Published
Exploited in the wild