April 20, 2023

CVE-2023-26101 - Path Traversal vulnerability in Flowmon Packet Investigator 12.0.1

1. Vulnerability Properties

Title: Path Traversal vulnerability in Flowmon Packet Investigator 12.0.1
CVE ID: CVE-2023-26101
CVSSv3 Base Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Vendor: Progress
Products: Flowmon FPI
Advisory Release Date: 19-04-2022
Advisory URL: https://labs.integrity.pt/advisories/cve-2023-26101
Credits: Discovery by Caio Farias <caio.farias[at]devoteam.com>

2. Vulnerability Summary

All logged users with a credential to Flowmon Packet Investigator can use this vulnerability to download files stored on the appliance file system.

3. Vulnerable Versions

<=12.0.1

4. Solution

Fix is available in Flowmon Packet Investigator 12.1

5. Vulnerability Timeline

02/Nov/22 - Bug reported to Progress
02/Nov/22 - Bug verified by vendor
19/Apr/23 - Advisory released

6. References

https://support.kemptechnologies.com/hc/en-us/articles/12737582619789
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26101

CVE-2023-26100 - Reflected XSS vulnerability in FMC Analysis

CVE-2023-38722 - Stored Cross-Site Scripting in IBM Sterling Partner Engagement Manager