How severe is CVE-2023-43656?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9 out of 10.

What type of vulnerability is CVE-2023-43656?

This is classified as CWE-74, which is a common weakness in software security.

CVE-2023-43656

CRITICAL Year: 2023

CVSS v3 Score

9.0

Critical

Weakness Type

CWE-74

View all →

Vulnerability Description

matrix-hookshot is a Matrix bot for connecting to external services like GitHub, GitLab, JIRA, and more. Instances that have enabled transformation functions (those that have `generic.allowJsTransformationFunctions` in their config), may be vulnerable to an attack where it is possible to break out of the `vm2` sandbox and as a result Hookshot will be vulnerable to this. This problem is only likely to affect users who have allowed untrusted users to apply their own transformation functions. If you have only enabled a limited set of trusted users, this threat is reduced (though not eliminated). Version 4.5.0 and above of hookshot include a new sandbox library which should better protect users. Users are advised to upgrade. Users unable to upgrade should disable `generic.allowJsTransformationFunctions` in the config.

CVE-2021-21353

CRITICAL

CVSS:9.0(Critical)

Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a u...

CWE-742021

CVE-2023-22522

CRITICAL

CVSS:9.0(Critical)

This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is abl...

CWE-742023

CVE-2024-29027

CRITICAL

CVSS:9.0(Critical)

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name ...

CWE-742024

CVE-2024-39604

CRITICAL

CVSS:9.0(Critical)

A command execution vulnerability exists in the update_filter_url.sh functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An at...

CWE-742024

CVE-2014-7236

CRITICAL

CVSS:9.1(Critical)

Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome.

CWE-742014

CVE-2015-7544

CRITICAL

CVSS:9.1(Critical)

redhat-support-plugin-rhev in Red Hat Enterprise Virtualization Manager (aka RHEV Manager) before 3.6 allows remote authenticated users with the SuperUser role on any Entity to execute arbitrary comma...

CWE-742015

CVE-2023-43656

Vulnerability Description

Related Vulnerabilities

CVE-2021-21353

CVE-2023-22522

CVE-2024-29027

CVE-2024-39604

CVE-2014-7236

CVE-2015-7544