Lucene search

[email protected]NVD:CVE-2023-39462

HistoryMay 03, 2024 - 3:15 a.m.

CVE-2023-39462

2024-05-0303:15:11

CWE-434

[email protected]

web.nvd.nist.gov

vulnerability

remote attackers

arbitrary files

authentication bypass

workspace files

user-supplied data

arbitrary code

root context

zdi-can-20536

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

16.2%

JSON

Triangle MicroWorks SCADA Data Gateway Workspace Unrestricted Upload Vulnerability. This vulnerability allows remote attackers to upload arbitrary files on affected installations of Triangle MicroWorks SCADA Data Gateway. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the processing of workspace files. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this in conjunction with other vulnerabilitites to execute arbitrary code in the context of root. Was ZDI-CAN-20536.

References

www.trianglemicroworks.com/products/scada-data-gateway/what's-new

www.zerodayinitiative.com/advisories/ZDI-23-1030/

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

16.2%

JSON

Related for NVD:CVE-2023-39462

vulnrichment1 zdi1 cvelist1 cve1