8.8

CVE-2023-35794

Exploit

EPSS 0.31%
Veröffentlicht 27.10.2023 21:15:08
Zuletzt bearbeitet 21.11.2024 08:08:43
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cassianetworks ≫ Access Controller Version2.1.1.2303271039

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.54

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://www.cassianetworks.com/products/iot-access-controller/

Product

https://blog.kscsc.online/cves/202335794/md.html

https://github.com/Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-35794

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-35794

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-35794

EUVD