QwikSec

Security Database

CVE

CWE

Training

CVE-2023-1306

Published: Mar 21, 2023

Modified: Feb 26, 2025

PUBLISHED

Description

An authenticated attacker can leverage an exposed resource.db() accessor method to smuggle Python method calls via a Jinja template, which can lead to code execution. This issue was resolved in the Managed and SaaS deployments on February 1, 2023, and in version 23.2.1 of the Self-Managed version of InsightCloudSec.

Vendor	Product	Versions
Rapid7	InsightCloudSec	affected `0 - <= 23.2.0`

Weaknesses (CWE)

References

https://docs.divvycloud.com/changelog/23321-release-notes

release-notes

https://nephosec.com/exploiting-rapid7s-insightcloudsec/

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.