CVE-2023-49572
📋 TL;DR
This vulnerability allows attackers to execute persistent cross-site scripting (XSS) attacks in VX Search Enterprise and Disk Pulse Enterprise. By injecting malicious JavaScript into ODBC configuration parameters, attackers can store payloads that execute when administrators view affected pages. Organizations using vulnerable versions of these Flexense products are affected.
💻 Affected Systems
- VX Search Enterprise
- Disk Pulse Enterprise
📦 What is this software?
Vx Search by Flexense
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on administrator systems.
Likely Case
Session hijacking leading to unauthorized access, credential theft, or defacement of administrative interfaces.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though stored XSS remains dangerous.
🎯 Exploit Status
Exploitation requires ability to submit malicious input to vulnerable parameters, typically through authenticated access or CSRF.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor for latest versions beyond affected ones
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-vx-search-enterprise
Restart Required: Yes
Instructions:
1. Check current version using product's about dialog. 2. Download latest version from Flexense website. 3. Install update following vendor instructions. 4. Restart application/services.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize odbc_data_source, odbc_user, and odbc_password parameters
Implement regex filtering: ^[a-zA-Z0-9_\-\.@]+$ for usernames
HTML encode all output from these parameters
Access Restriction
windowsRestrict access to /setup_odbc endpoint to trusted IP addresses only
Windows Firewall: New Inbound Rule blocking port for untrusted IPs
IIS/Web.config: <ipSecurity allowUnlisted="false"> with allowed IPs
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in ODBC parameters
- Disable or restrict ODBC configuration functionality if not required
🔍 How to Verify
Check if Vulnerable:
Test by submitting <script>alert('XSS')</script> to odbc_data_source, odbc_user, or odbc_password parameters and checking if script executes on page reloadCheck Version:
In application: Help → About or check installed programs in Control PanelVerify Fix Applied:
After patching, repeat vulnerability test; script should be properly encoded and not execute📡 Detection & Monitoring
Log Indicators:
- Unusual length or special characters in ODBC parameter values
- Multiple failed login attempts followed by ODBC configuration changes
Network Indicators:
- HTTP POST requests to /setup_odbc with script tags or JavaScript in parameters
SIEM Query:
source="web_logs" AND uri_path="/setup_odbc" AND (param="odbc_data_source" OR param="odbc_user" OR param="odbc_password") AND (content="<script" OR content="javascript:")