CVE-2023-46595 is a cross-site scripting (CWE-79) vulnerability identified in the Algosec FireFlow product, specifically within the VisualFlow workflow editor component. The vulnerability arises from improper neutralization of input during web page generation, allowing an attacker to inject malicious HTML content. This injection can cause the victim's browser to leak Net-NTLM hashes and domain credentials to the attacker. Net-NTLM hashes are authentication tokens used in Windows environments that, if captured, can be relayed or cracked to gain unauthorized access to domain resources. The vulnerability requires the attacker to have high privileges (PR:H) and user interaction (UI:R), and it is exploitable over a network with high attack complexity (AC:H). The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component and does not extend beyond it. The confidentiality and integrity impacts are high, as attackers can obtain sensitive credentials and potentially perform relay attacks to move laterally within the domain. Availability impact is low. The vulnerability affects Algosec FireFlow versions prior to A32.20 (b570) and A32.50 (b390), where fixes have been implemented. No public exploits have been reported yet, but the nature of the vulnerability makes it a significant risk in environments where Algosec FireFlow is deployed, especially in enterprise networks relying on Windows domain authentication.

For European organizations, this vulnerability poses a significant risk to domain security and credential confidentiality. Algosec FireFlow is used for network security policy management and workflow automation, often integrated into critical infrastructure and enterprise environments. Exploitation could lead to unauthorized access to domain credentials, enabling attackers to perform relay attacks, escalate privileges, and move laterally within corporate networks. This can result in data breaches, disruption of network security operations, and compromise of sensitive systems. The leak of Net-NTLM hashes is particularly concerning in environments where legacy authentication protocols are still in use. Given the medium CVSS score and the requirement for high privileges and user interaction, the threat is more relevant in insider threat scenarios or targeted attacks against administrators. However, the potential for credential theft and subsequent domain compromise makes it a critical issue for organizations managing complex network security policies.

1. Apply the official patches released by Algosec in versions A32.20 (b570 or above) and A32.50 (b390 or above) immediately to remediate the vulnerability. 2. Restrict access to the VisualFlow workflow editor to only trusted administrators and limit exposure to the internet or untrusted networks. 3. Implement network segmentation and strict access controls around systems running Algosec FireFlow to reduce the attack surface. 4. Monitor authentication logs and network traffic for unusual Net-NTLM authentication attempts or relay attack indicators. 5. Enforce the use of modern authentication protocols like Kerberos and disable or restrict NTLM where possible to reduce the impact of leaked hashes. 6. Conduct regular security awareness training for administrators to recognize phishing or social engineering attempts that could trigger user interaction exploitation. 7. Employ web application firewalls (WAFs) with rules to detect and block XSS payloads targeting the FireFlow interface. 8. Review and harden browser security settings for administrators accessing the FireFlow editor to mitigate the risk of HTML injection exploitation.