CVE-2023-23907

2023-07-0615:15:11

CWE-22

[email protected]

web.nvd.nist.gov

security

vulnerability

milesight vpn

directory traversal

arbitrary file read

network request

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

8.6 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.0%

JSON

A directory traversal vulnerability exists in the server.js start functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to arbitrary file read. An attacker can send a network request to trigger this vulnerability.

Affected configurations

Vulners

NVD

Node

milesightmilesightvpnRange≤v2.0.2

VendorProductVersionCPE
milesightmilesightvpn*cpe:2.3:a:milesight:milesightvpn:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
milesight	milesightvpn	*	cpe:2.3:a:milesight:milesightvpn::::::::

CNA Affected

[
  {
    "vendor": "Milesight",
    "product": "MilesightVPN",
    "versions": [
      {
        "version": "v2.0.2",
        "status": "affected"
      }
    ]
  }
]