Lucene search

[email protected]CVE-2023-31245

HistoryMay 22, 2023 - 8:15 p.m.

CVE-2023-31245

2023-05-2220:15:10

CWE-601

[email protected]

web.nvd.nist.gov

security

vulnerability

snap one ovrc

http

impersonation

redirection

nvd

cve-2023-31245

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

6.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

43.8%

JSON

Devices using Snap One OvrC cloud are sent to a web address when accessing a web management interface using a HTTP connection. Attackers could impersonate a device and supply malicious information about the device’s web server interface. By supplying malicious parameters, an attacker could redirect the user to arbitrary and dangerous locations on the web.

Affected configurations

NVD

Node

snaponeorvcRange<7.3.0pro

AND

control4ca-1Match-

control4ca-10Match-

control4ea-1Match-

control4ea-3Match-

control4ea-5Match-

snaponean-110-rt-2l1wMatch-

snaponean-110-rt-2l1w-wifiMatch-

snaponean-310-rt-4l2wMatch-

snaponeovrc-300-proMatch-

snaponepakedge_rk-1Match-

snaponepakedge_rt-3100Match-

snaponepakedge_wr-1Match-

CPENameOperatorVersion
snapone:orvcsnapone orvclt7.3.0

CPE	Name	Operator	Version
snapone:orvc	snapone orvc	lt	7.3.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "OvrC Cloud",
    "vendor": "Snap One",
    "versions": [
      {
        "lessThan": "7.3",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/news-events/ics-advisories/icsa-23-136-01

www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-p.pdf