1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: LOYTEC electronics GmbH
- Equipment: LINX series
- Vulnerabilities: Cleartext Transmission of Sensitive Information, Missing Authentication for Critical Function, Cleartext Storage of Sensitive Information, Improper Access Control
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information or make modifications to an affected device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Loytec products are affected:
- LINX-151: All versions
- LINX-212: All versions
- LVIS-3ME12-A1: All versions
- LIOB-586: All versions
- LIOB-580 V2: All versions
- LIOB-588: All versions
- L-INX Configurator: All versions
3.2 Vulnerability Overview
3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
LOYTEC LINX-212 firmware 6.2.4, LVIS-3ME12-A1 firmware 6.2.2 and LIOB-586 firmware 6.2.3 devices send password-change requests via cleartext HTTP.
CVE-2023-46380 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-46380. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N<
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: