CVE-2023-28489

EPSS 1.6%
Veröffentlicht 11.04.2023 10:15:18
Zuletzt bearbeitet 21.11.2024 07:55:12
Quelle productcert@siemens.com
Teams Watchlist Login
Unerledigt Login

A vulnerability has been identified in CP-8031 MASTER MODULE (All versions < CPCI85 V05), CP-8050 MASTER MODULE (All versions < CPCI85 V05). Affected devices are vulnerable to command injection via the web server port 443/tcp, if the parameter “Remote Operation” is enabled. The parameter is disabled by default.
The vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Siemens ≫ Cp-8031 Firmware Version < cpci85_v05

Siemens ≫ Cp-8031 Version-

Siemens ≫ Cp-8050 Firmware Version < cpci85_v05

Siemens ≫ Cp-8050 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.6%	0.806

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
productcert@siemens.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

http://packetstormsecurity.com/files/173370/Siemens-A8000-CP-8050-CP-8031-Code-Execution-Command-Injection.html

http://seclists.org/fulldisclosure/2023/Jul/14

https://cert-portal.siemens.com/productcert/pdf/ssa-472454.pdf

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-28489

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-28489

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-28489

EUVD