VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 30, 2023· Updated Jun 3, 2025

Tyler Technologies Court Case Management Plus use of Aquaforest TIFF Server te003.aspx and te004.aspx allows authentication bypass

CVE-2023-6344

Description

Tyler Technologies Court Case Management Plus allows a remote, unauthenticated attacker to enumerate directories using the tiffserver/te003.aspx or te004.aspx 'ifolder' parameter. This behavior is related to the use of a deprecated version of Aquaforest TIFF Server, possibly 2.x. The vulnerable Aquaforest TIFF Server feature was removed on or around 2023-11-01. Insecure configuration issues in Aquaforest TIFF Server are identified separately as CVE-2023-6352. CVE-2023-6343 is related to or partially caused by CVE-2023-6352.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Tyler Technologies Court Case Management Plus, using deprecated Aquaforest TIFF Server, allows unauthenticated remote directory enumeration via the 'ifolder' parameter in specific ASPX pages.

Vulnerability

CVE-2023-6344 affects Tyler Technologies Court Case Management Plus, which utilizes a deprecated version of Aquaforest TIFF Server (possibly 2.x) [1][2]. The vulnerability allows an unauthenticated remote attacker to enumerate directories by sending crafted requests to tiffserver/te003.aspx or te004.aspx with the ifolder parameter [2]. This behavior is due to insecure design choices in the Aquaforest TIFF Server component, which was never intended to be exposed to the internet [1]. The directory enumeration flaw was present in Court Case Management Plus until the vulnerable component was removed on or around November 1, 2023 [description].

Exploitation

An attacker needs only network access to the vulnerable server, no authentication required. By manipulating the ifolder parameter in requests to te003.aspx or te004.aspx, the attacker can list directories and files on the server, including network shares accessible to the TIFF Server process [2]. The exploitation can be performed using a standard web browser or any HTTP client, and does not require any special privileges [3].

Impact

Successful exploitation allows the attacker to enumerate the entire directory structure, potentially discovering sensitive documents and files [1][2]. While the primary impact is information disclosure through directory enumeration, the vulnerability can be combined with other flaws (such as CVE-2023-6343) to view the contents of enumerated files that should require authentication [1][2]. This could expose sealed court documents, personal information, or other confidential data [3].

Mitigation

Tyler Technologies removed the vulnerable Aquaforest TIFF Server feature from Court Case Management Plus on or around November 1, 2023 [description]. Organizations should ensure they are running a version of the software that does not include the deprecated component. For other users of Aquaforest TIFF Server, the product is being sunsetted by May 31, 2024, and no further updates are planned [4]; it is recommended to restrict access to trusted networks and follow the vendor's security guidance [1]. There is no patch for the underlying design issue in older versions [1].

References
  1. Tiff Server security update
  2. disorder-in-the-court/README-TylerTechnologies.md at main · qwell/disorder-in-the-court
  3. Security flaws in court record systems used in five US states exposed sensitive legal documents
  4. Aquaforest TIFF Server Sunsetting

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.