10

CVE-2023-22600

EPSS 0.12%
Veröffentlicht 12.01.2023 23:15:10
Zuletzt bearbeitet 21.11.2024 07:45:02
Quelle ics-cert@hq.dhs.gov
CVE-Watchlists
Login
Unerledigt
Login

InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-284: Improper Access Control. They allow unauthenticated devices to subscribe to MQTT topics on the same network as the device manager. An unauthorized user who knows of an existing topic name could send and receive messages to and from that topic. This includes the ability to send GET/SET configuration commands, reboot commands, and push firmware updates.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Inhandnetworks ≫ Inrouter302 Firmware Version < 3.5.56

Inhandnetworks ≫ Inrouter302 Version-

Inhandnetworks ≫ Inrouter615-s Firmware Version < 2.3.0.r5542

Inhandnetworks ≫ Inrouter615-s Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.12%	0.32

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
ics-cert@hq.dhs.gov	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://www.cisa.gov/uscert/ics/advisories/icsa-23-012-03

Third Party Advisory

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2023-22600

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-22600

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-22600

EUVD