PatchSiren cyber security CVE debrief
CVE-2023-5635 ArslanSoft CVE debrief
CVE-2023-5635 is a high-severity information disclosure issue in ArslanSoft Education Portal before v1.1. The public records describe improper protection for outbound error messages and alert signals, creating a path for account footprinting. NVD rates the issue CVSS 3.1 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), so the main concern is remote, unauthenticated exposure of sensitive account-related information rather than direct system disruption.
- Vendor
- ArslanSoft
- Product
- Education Portal
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-12-01
- Original CVE updated
- 2026-05-21
- Advisory published
- 2023-12-01
- Advisory updated
- 2026-05-21
Who should care
Organizations running ArslanSoft Education Portal versions before 1.1 should treat this as a priority, especially teams responsible for authentication, account management, and public-facing portal endpoints. Security operations and application owners should also review whether the portal exposes differentiated error or alert behavior that could reveal account existence or state.
Technical summary
The NVD record and USOM advisory indicate that Education Portal versions before 1.1 are affected by improper protection of outbound error messages and alert signals. The listed weakness is CWE-1320, and the CVSS vector shows a network-reachable issue requiring no privileges or user interaction, with high confidentiality impact. In practical defensive terms, this type of flaw can allow an external party to infer account-related information from externally visible responses, alerts, or other signals that should not be exposed.
Defensive priority
High. The vulnerability is remotely reachable, requires no authentication, and is scored 7.5 HIGH with high confidentiality impact. Because the issue is pre-auth and centered on account footprinting, it should be addressed promptly in any exposed deployment of Education Portal before v1.1.
Recommended defensive actions
- Upgrade ArslanSoft Education Portal to v1.1 or later, since the vulnerable range in the public record ends before 1.1.
- Review all outward-facing error and alert paths for account enumeration or account-state leakage.
- Normalize user-facing responses so that authentication, account lookup, and recovery flows do not reveal whether an account exists or what condition it is in.
- Keep detailed diagnostic information in server-side logs only, and avoid returning internal validation or routing details to clients.
- Test public endpoints for distinct messages, timing differences, or alert behavior that could be used for account footprinting.
- If immediate upgrading is not possible, apply temporary compensating controls such as response normalization and strict monitoring of account-related endpoints.
Evidence notes
The description in the CVE record states: "Improper Protection for Outbound Error Messages and Alert Signals vulnerability in ArslanSoft Education Portal allows Account Footprinting." The NVD metadata lists the affected CPE as Arslansoft Education Portal versions before 1.1 and provides CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The USOM references cited in NVD are the supporting third-party advisory sources.
Official resources
-
CVE-2023-5635 CVE record
CVE.org
-
CVE-2023-5635 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Publicly disclosed in the CVE record on 2023-12-01. The NVD record was later modified on 2026-05-21, but that update date should not be treated as the vulnerability's original disclosure date.