CVE-2023-48373 is a high-severity path traversal vulnerability (CWE-22) found in the ITPison OMICARD EDM product, specifically within its SMS module. The vulnerability arises from improper validation of the 'FileName' parameter in a particular function, allowing an unauthenticated remote attacker to manipulate the pathname and access files outside the intended restricted directory. This bypasses authentication controls and enables the attacker to download arbitrary system files. The vulnerability affects version 6.0.1.5 of OMICARD EDM. The CVSS 3.1 base score is 7.5, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). Although no known exploits are currently reported in the wild, the ease of exploitation and the ability to access sensitive files remotely without authentication make this a significant risk. The lack of integrity and availability impact suggests the primary concern is unauthorized disclosure of sensitive information, which could include configuration files, credentials, or other critical data stored on the system. The vulnerability could be leveraged as a stepping stone for further attacks, such as privilege escalation or lateral movement within a network.

For European organizations using ITPison OMICARD EDM, this vulnerability poses a serious risk to confidentiality. Unauthorized disclosure of sensitive files could lead to exposure of personal data, intellectual property, or system credentials, potentially violating GDPR and other data protection regulations. The ability to bypass authentication remotely increases the risk of compromise, especially in environments where OMICARD EDM is exposed to untrusted networks or the internet. This could result in data breaches, loss of customer trust, regulatory fines, and operational disruptions. Given the product's role in electronic document management, sensitive business documents and communications could be at risk. Additionally, attackers could use the information gained to facilitate further attacks, such as deploying ransomware or conducting espionage. The impact is heightened in sectors with strict compliance requirements such as finance, healthcare, and government agencies across Europe.

Organizations should immediately verify if they are running the affected version (v6.0.1.5) of ITPison OMICARD EDM's SMS module. Since no patch links are currently provided, they should contact ITPison for official patches or workarounds. In the interim, restrict network access to the OMICARD EDM SMS service to trusted internal networks only, using firewalls or network segmentation to prevent exposure to untrusted sources. Implement strict input validation and monitoring on the 'FileName' parameter if custom controls or web application firewalls (WAFs) are in place, creating rules to detect and block path traversal patterns (e.g., '../'). Conduct thorough logging and monitoring of file access requests to detect suspicious activity. Review and minimize file permissions on the server to limit the files accessible by the OMICARD EDM application. Additionally, perform regular security assessments and penetration tests focused on path traversal and other input validation vulnerabilities. Finally, prepare an incident response plan to quickly address any exploitation attempts.