CVE-2023-32173

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-32173
Unified Automation UaGateway AddServer XML Injection Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation UaGateway. Authentication is required to exploit this vulnerability when the product is in its default configuration. The specific flaw exists within the implementation of the AddServer method. By specifying crafted arguments, an attacker can cause invalid characters to be inserted into an XML configuration file. An attacker can leverage this vulnerability to create a persistent denial-of-service condition on the system. . Was ZDI-CAN-20576.

5.8 /10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H

Exploitability : 1.3 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-23-779/ Third Party Advisory
https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt Release Notes
https://www.zerodayinitiative.com/advisories/ZDI-23-779/ Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:unified-automation:uagateway:*:*:*:*:*:*:*:*
History

08 Aug 2025, 14:17

Type Values Removed Values Added
First Time Unified-automation uagateway
Unified-automation
References () https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt - () https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt - Release Notes
References () https://www.zerodayinitiative.com/advisories/ZDI-23-779/ - () https://www.zerodayinitiative.com/advisories/ZDI-23-779/ - Third Party Advisory
CPE cpe:2.3:a:unified-automation:uagateway:*:*:*:*:*:*:*:*

21 Nov 2024, 08:02

Type Values Removed Values Added
References () https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt - () https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt -
References () https://www.zerodayinitiative.com/advisories/ZDI-23-779/ - () https://www.zerodayinitiative.com/advisories/ZDI-23-779/ -

18 Sep 2024, 19:15

Type Values Removed Values Added
Summary
  • (es) Vulnerabilidad de denegación de servicio de inyección XML de Unified Automation UaGateway AddServer. Esta vulnerabilidad permite a atacantes remotos crear una condición de denegación de servicio en las instalaciones afectadas de Unified Automation UaGateway. Se requiere autenticación para aprovechar esta vulnerabilidad cuando el producto está en su configuración predeterminada. La falla específica existe en la implementación del método AddServer. Al especificar argumentos manipulados, un atacante puede provocar que se inserten caracteres no válidos en un archivo de configuración XML. Un atacante puede aprovechar esta vulnerabilidad para crear una condición de denegación de servicio persistente en el sistema. Era ZDI-CAN-20576.
Summary (en) Unified Automation UaGateway AddServer XML Injection Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation UaGateway. Authentication is required to exploit this vulnerability when the product is in its default configuration. The specific flaw exists within the implementation of the AddServer method. By specifying crafted arguments, an attacker can cause invalid characters to be inserted into an XML configuration file. An attacker can leverage this vulnerability to create a persistent denial-of-service condition on the system. . Was ZDI-CAN-20576. (en) Unified Automation UaGateway AddServer XML Injection Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Unified Automation UaGateway. Authentication is required to exploit this vulnerability when the product is in its default configuration. The specific flaw exists within the implementation of the AddServer method. By specifying crafted arguments, an attacker can cause invalid characters to be inserted into an XML configuration file. An attacker can leverage this vulnerability to create a persistent denial-of-service condition on the system. . Was ZDI-CAN-20576.

03 May 2024, 02:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-03 02:15

Updated : 2025-08-08 14:17

NVD link : CVE-2023-32173

Mitre link : CVE-2023-32173

CVE.ORG link : CVE-2023-32173

JSON object : View

Products Affected

unified-automation

  • uagateway
CWE
CWE-91

XML Injection (aka Blind XPath Injection)