CVE-2023-39446

Thanks to the weaknesses that the web application has at the user management level, an attacker could obtain the information from the headers that is necessary to create specially designed URLs and originate malicious actions when a legitimate user is logged into the web application.

CVSS v3 8.9 HIGH

8.9^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03	Third Party Advisory US Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:socomec:modulys_gp_firmware:01.12.10:*:*:*:*:*:*:*

cpe:2.3:h:socomec:modulys_gp:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:15

Type	Values Removed	Values Added
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03 - Third Party Advisory, US Government Resource~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03 - Third Party Advisory, US Government Resource
CVSS	v2 : ~~unknown~~ v3 : ~~8.8~~	v2 : unknown v3 : 8.9

21 Mar 2024, 02:48

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-18 21:15

Updated : 2024-11-21 08:15

NVD link : CVE-2023-39446

Mitre link : CVE-2023-39446

CVE.ORG link : CVE-2023-39446

JSON object : View

Products Affected

socomec

modulys_gp_firmware
modulys_gp

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2023-39446", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "ics-cert@hq.dhs.gov"}], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2023-09-18T21:15:56.117", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03", "tags": ["Third Party Advisory", "US Government Resource"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "\n\n\n\n\n\n\nThanks to the weaknesses that the web application has at the user management level, an attacker could obtain the information from the headers that is necessary to create specially designed URLs and originate malicious actions when a legitimate user is logged into the web application.\n\n\n\n\n\n\n\n"}, {"lang": "es", "value": "** NO COMPATIBLE CUANDO EST\u00c1 ASIGNADO ** Gracias a las debilidades que tiene la aplicaci\u00f3n web a nivel de administraci\u00f3n de usuarios, un atacante podr\u00eda obtener la informaci\u00f3n de los encabezados necesaria para crear URLs especialmente manipuladas y originar acciones maliciosas cuando un usuario leg\u00edtimo inicia sesi\u00f3n en la aplicaci\u00f3n web."}], "lastModified": "2024-11-21T08:15:26.663", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:socomec:modulys_gp_firmware:01.12.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A69C11D7-9B54-4F66-95F3-33B8E6F9E37B"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:socomec:modulys_gp:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "7C795C90-1E56-4F38-B637-6C12DEAF6541"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}