Dear Team,
We use Syncfusion in an Angular SPA. So far, we mostly used the grids and the rich text box editors. They work well.
We now want to use the File Manager. However, our Security Team asked a status on these 3 CVE: CVE-2023-26563, CVE-2023-26564, CVE-2023-26565. We're not sure if they have as been fixed as per this (quite old) website post: https://ruptura-infosec.com/ownage/syncfusion-cve-2023-26563-4-5/.
Thanks and kind regards,
Sylvain.
Hi Sylvain,
Greetings from Syncfusion support.
We have validated the security issue flagged by GitHub code scanning within our providers(Physical file provider, Node JS and SQL provider). The identified issue has been addressed, and the necessary code modifications have been incorporated. These changes are available in the public service provider mentioned below. please check the shared public repository for your reference.
CVE-2023-26563 - Physical file provider - https://github.com/SyncfusionExamples/ej2-aspcore-file-provider
CVE-2023-26564 - Node JS - https://github.com/SyncfusionExamples/ej2-filemanager-node-filesystem
CVE-2023-26565 – SQL - https://github.com/SyncfusionExamples/sql-server-database-aspcore-file-provider
Refer to the information provided, and feel free to reach out if you need any further assistance.
Regards,
Leo Lavanya Dhanaraj
Thank you, much appreciated. I will forward this to the security team.
Thanks for the update. Please get back to us if you need any further assistance in the future.
