CVE-2023-31435 – This vulnerability in evasys software allows au... (How to Fix)

Q: What is the severity of CVE-2023-31435?

CVE-2023-31435 has a CVSS score of 8.1 (HIGH). This vulnerability in evasys software allows authenticated attackers to bypass authorization controls and access unauthorized data through direct function calls. It affects evasys versions before 8.2 Build 2286 and 9.x before 9.0 Build 2401. Attackers can read and write data they shouldn't have access to.

📋 TL;DR

This vulnerability in evasys software allows authenticated attackers to bypass authorization controls and access unauthorized data through direct function calls. It affects evasys versions before 8.2 Build 2286 and 9.x before 9.0 Build 2401. Attackers can read and write data they shouldn't have access to.

💻 Affected Systems

Products:

evasys

Versions: All versions before 8.2 Build 2286 and 9.x before 9.0 Build 2401

Operating Systems: Any OS running evasys

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access but authorization bypass allows escalation beyond intended permissions.

📦 What is this software?

Evasys by Evasys

View all CVEs affecting Evasys →

Evasys by Evasys

View all CVEs affecting Evasys →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive student data, modify survey results, tamper with templates, and potentially compromise the entire evasys system integrity.

🟠

Likely Case

Unauthorized access to survey data, questionnaire responses, and administrative functions leading to data leakage and manipulation.

🟢

If Mitigated

Limited impact if proper network segmentation, strong authentication, and least privilege principles are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but direct function calls bypass authorization checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.2 Build 2286 or 9.0 Build 2401

Vendor Advisory: https://cves.at/posts/cve-2023-31435/writeup/

Restart Required: Yes

Instructions:

1. Download latest evasys version from vendor. 2. Backup current installation. 3. Apply patch/upgrade to 8.2 Build 2286 or 9.0 Build 2401. 4. Restart evasys services. 5. Verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to evasys to only trusted networks and users

Enhanced Authentication

all

Implement multi-factor authentication and strong password policies

🧯 If You Can't Patch

Implement strict network access controls and firewall rules
Enable detailed logging and monitoring for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check evasys version in administration interface or configuration files

Check Version:

Check evasys web interface admin panel or consult system documentation

Verify Fix Applied:

Verify version is 8.2 Build 2286 or higher for 8.x, or 9.0 Build 2401 or higher for 9.x

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to sensitive functions
Unusual data access patterns from authenticated users

Network Indicators:

Direct function calls bypassing normal UI flows
Unusual API requests

SIEM Query:

source="evasys" AND (event_type="unauthorized_access" OR user_privilege_escalation=true)

📊 Metadata

CVE ID: CVE-2023-31435

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-863

Published: May 2, 2023

Last Updated: January 30, 2025

🔗 References

https://cves.at/posts/cve-2023-31435/writeup/ Exploit,Third Party Advisory
https://cves.at/posts/cve-2023-31435/writeup/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31435, you might also want to check these: