Overview
- Description
- Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.
- Source
- cve@mitre.org
- NVD status
- Analyzed
Risk scores
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Known exploits
Data from CISA
- Vulnerability name
- Fortra Cobalt Strike User Interface Remote Code Execution Vulnerability
- Exploit added on
- Mar 30, 2023
- Exploit action due
- Apr 20, 2023
- Required action
- Apply updates per vendor instructions.
Weaknesses
- nvd@nist.gov
- CWE-116
Social media
- Hype score
- Not currently trending
Configurations
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:helpsystems:cobalt_strike:4.7.1:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "5F082C0F-93EC-4401-9A61-EA1C6599FC08"
}
],
"operator": "OR"
}
]
}
]