PatchSiren cyber security CVE debrief
CVE-2023-1726 Proliz CVE debrief
CVE-2023-1726 is a stored cross-site scripting issue in Proliz OBS, affecting versions before 23.04.01. According to the published record, the flaw impacts authenticated users and is categorized as CWE-79. The NVD vector shows network-based exploitation with low attack complexity, low privileges required, user interaction required, and limited confidentiality/integrity impact (CVSS 3.1: 5.4 MEDIUM). Defenders should treat this as a prompt remediation item for any deployed OBS instance that accepts and later renders user-controlled content.
- Vendor
- Proliz
- Product
- OBS
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-04-07
- Original CVE updated
- 2024-11-21
- Advisory published
- 2023-04-07
- Advisory updated
- 2024-11-21
Who should care
System administrators, application owners, and security teams responsible for Proliz OBS deployments should care most, especially if the application is accessible to multiple authenticated users or handles user-generated content.
Technical summary
The source record describes an improper neutralization of input during web page generation that can result in stored XSS. In practical terms, an authenticated user can supply content that is later rendered in a browser without sufficient output encoding or sanitization, allowing script execution in the context of another user’s session. The affected version range ends before 23.04.01, and the NVD reference ties the issue to CWE-79 with a CVSS vector of AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N.
Defensive priority
Medium priority, but patch promptly if the system is user-facing or supports multiple authenticated roles. Stored XSS can be used to manipulate sessions, content, or user actions even when availability is not directly impacted.
Recommended defensive actions
- Upgrade Proliz OBS to version 23.04.01 or later, which is the first fixed version named in the source record.
- Review all authenticated input paths that are rendered back into web pages and ensure context-appropriate output encoding is applied.
- Audit templates and rich-text or comment fields for stored content that may be reflected without sanitization.
- Restrict unnecessary authenticated write access and apply least privilege to roles that can create or edit content.
- Monitor for suspicious script-like payloads in application logs and review affected user sessions if abuse is suspected.
Evidence notes
The CVE description states that Proliz OBS has a stored XSS vulnerability for an authenticated user and that the issue affects versions before 23.04.01. The NVD metadata provides the affected CPE range ending before 23.04.01 and a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The supplied third-party advisory URL is USOM reference TR-23-0205. No CISA KEV entry is present in the supplied data.
Official resources
-
CVE-2023-1726 CVE record
CVE.org
-
CVE-2023-1726 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
Published in the CVE record on 2023-04-07; the source metadata was last modified on 2024-11-21. Timing in this debrief is based on the supplied CVE dates, not generation time.