CVE-2023-39452

The web application that owns the device clearly stores the credentials within the user management section. Obtaining this information can be done remotely due to the incorrect management of the sessions in the web application.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:socomec:modulys_gp_firmware:01.12.10:*:*:*:*:*:*:*

cpe:2.3:h:socomec:modulys_gp:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-09-18 21:16

Updated : 2024-05-17 02:26

NVD link : CVE-2023-39452

Mitre link : CVE-2023-39452

CVE.ORG link : CVE-2023-39452

JSON object : View

Products Affected

socomec

modulys_gp_firmware
modulys_gp

CWE

CWE-256

Plaintext Storage of a Password

{"id": "CVE-2023-39452", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "ics-cert@hq.dhs.gov"}], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2023-09-18T21:16:04.367", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-256"}]}], "descriptions": [{"lang": "en", "value": "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nThe web application that owns the device clearly stores the credentials within the user management section. Obtaining this information can be done remotely due to the incorrect management of the sessions in the web application.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"}, {"lang": "es", "value": "** NO COMPATIBLE CUANDO EST\u00c1 ASIGNADO ** La aplicaci\u00f3n web propietaria del dispositivo almacena claramente las credenciales dentro de la secci\u00f3n de administraci\u00f3n de usuarios. La obtenci\u00f3n de esta informaci\u00f3n se puede hacer de forma remota debido a la gesti\u00f3n incorrecta de las sesiones en la aplicaci\u00f3n web. "}], "lastModified": "2024-05-17T02:26:59.790", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:socomec:modulys_gp_firmware:01.12.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A69C11D7-9B54-4F66-95F3-33B8E6F9E37B"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:socomec:modulys_gp:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "7C795C90-1E56-4F38-B637-6C12DEAF6541"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}