Design/Logic Flaw

2021-08-0211:15:00

PRIOn knowledge base

www.prio-n.com

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

19.6%

JSON

In MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2 an authenticated attacker can change the password of his account into a new password that violates the password policy by intercepting and modifying the request that is send to the server.

CPENameOperatorVersion
myrex24le2.11.2
myrex24.virtualle2.11.2
mbconnect24le2.11.2
mymbconnect24le2.11.2

Name	Operator	Version
myrex24	le	2.11.2
myrex24.virtual	le	2.11.2
mbconnect24	le	2.11.2
mymbconnect24	le	2.11.2

References

cert.vde.com/en/advisories/VDE-2021-030

cert.vde.com/en/advisories/VDE-2022-039