CVE-2023-49087

Summary

CVE-2023-49087 affects the xml-security library, which is used for XML signatures and encryption. The vulnerability lies in the verification process of an XML signature, where the hash value of an XML-document is compared to a DigestValue-value, and the cryptographic signature on the SignedInfo-tree is matched against a trusted public key. An attacker who can manipulate the canonicalized version's DigestValue through a bug in PHP's canonicalization function can forge a signature, allowing unauthorized access or data modification. This issue has been addressed in versions 1.6.12 and 5.0.0-alpha.13.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.