CVE-2023-31435

HIGH

evasys <8.2.2286 & <9.0.2401 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-31435. PoCs published by trustcves.

AI-analyzed exploit summary This is a detailed technical writeup describing an authorization bypass vulnerability (CVE-2023-31435) in Evasys software. It includes proof-of-concept URLs, role-based access issues, and vendor communication timeline.

Description

Multiple components (such as Onlinetemplate-Verwaltung, Liste aller Teilbereiche, Umfragen anzeigen, and questionnaire previews) in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allow authenticated attackers to read and write to unauthorized data by accessing functions directly.

Exploits (1)

nomisec WRITEUP

by trustcves · poc

https://github.com/trustcves/CVE-2023-31435

View Code ZIP pw:eip

This is a detailed technical writeup describing an authorization bypass vulnerability (CVE-2023-31435) in Evasys software. It includes proof-of-concept URLs, role-based access issues, and vendor communication timeline.

Classification

Writeup 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Evasys v8.2 Build 2275-2285 and v9.0 Build 2400

Auth required

Prerequisites: Valid token for 'Teilbereichsadmin' or 'Trainer' role · Access to specific URLs

MITRE ATT&CK

T1548.002 - Bypass User Account Control

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://cves.at/posts/cve-2023-31435/writeup/

Scores

CVSS v3 8.1

EPSS 0.0070

EPSS Percentile 48.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-863

Status published

Products (2)

evasys/evasys 8.2

evasys/evasys 9.0

Published May 02, 2023

Tracked Since Feb 18, 2026