1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: CAREL
- Equipment: Boss-Mini
- Vulnerability: Path Traversal
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to manipulate an argument path, which would lead to information disclosure.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of CAREL Boss-Mini, a local supervisor solution, are affected:
- Boss-Mini: Version 1.4.0 (Build 6221)
3.2 Vulnerability Overview
Under certain conditions, a malicious actor already present in the same network segment of the affected product, could abuse Local File Inclusion (LFI) techniques to access unauthorized file system resources, such as configuration files, password files, system logs, or other sensitive data. This could expose confidential information and potentially lead to further threats.
CVE-2023-3643 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-3643. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Italy
3.4 RESEARCHER
Werley
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: