PatchSiren cyber security CVE debrief
CVE-2023-2886 CBOT CVE debrief
CVE-2023-2886 is a medium-severity vulnerability in Cbot Chatbot involving missing Origin validation in WebSockets. According to the CVE record, the issue can allow content spoofing through application API manipulation. The affected versions listed in the source are Cbot Core before 4.0.3.4 and Cbot Panel before 4.0.3.7. The CVE was published on 2023-05-25, and NVD later marked the record modified on 2024-11-21.
- Vendor
- CBOT
- Product
- Chatbot
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-05-25
- Original CVE updated
- 2024-11-21
- Advisory published
- 2023-05-25
- Advisory updated
- 2024-11-21
Who should care
Administrators and developers responsible for Cbot Chatbot Core and Panel deployments should prioritize this issue, especially any environment that relies on browser-based WebSocket interactions or exposes chatbot APIs to user-originated traffic. Security teams validating application-layer trust boundaries should also review it.
Technical summary
The source corpus describes a Missing Origin Validation weakness in WebSockets. In practice, that means the application may not sufficiently verify the origin of WebSocket requests before accepting them. NVD maps the issue to CWE-346, and the third-party advisory also lists CWE-1385. The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, indicating network reachability, no privileges required, and a user interaction component, with impact limited to integrity. The affected Cbot versions are Core versions before 4.0.3.4 and Panel versions before 4.0.3.7.
Defensive priority
Medium. The issue is externally reachable and can affect integrity through spoofed content, but the published CVSS score is 4.3 and the vector shows no confidentiality or availability impact. Remediation should still be scheduled promptly because the weakness affects trust validation in a web-facing protocol.
Recommended defensive actions
- Upgrade Cbot Chatbot Core to version 4.0.3.4 or later.
- Upgrade Cbot Chatbot Panel to version 4.0.3.7 or later.
- Review WebSocket origin handling in any custom integrations or reverse proxies in front of Cbot.
- Validate that browser-originated WebSocket connections are restricted to expected origins.
- Re-test chatbot workflows after updating to confirm the fixed versions are deployed and active.
Evidence notes
All claims are limited to the supplied CVE/NVD corpus and the referenced USOM advisory. The CVE record states: missing Origin validation in WebSockets, content spoofing via application API manipulation, affected Core before 4.0.3.4 and Panel before 4.0.3.7. NVD lists CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N and weaknesses CWE-346, while the third-party advisory also lists CWE-1385. The CVE was published on 2023-05-25 and modified on 2024-11-21; the modified date is record maintenance context, not the original issue date.
Official resources
-
CVE-2023-2886 CVE record
CVE.org
-
CVE-2023-2886 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Publicly disclosed in the CVE record on 2023-05-25; NVD later updated the entry on 2024-11-21.