CVE-2021-23858
EUVD-2021-1078404.10.2021, 18:15
Information disclosure: The main configuration, including users and their hashed passwords, is exposed by an unprotected web server resource and can be accessed without authentication. Additionally, device details are exposed which include the serial number and the firmware version by another unprotected web server resource.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| bosch | rexroth_indramotion_mlc_l20_firmware | 𝑥 ≤ 12 |
| bosch | rexroth_indramotion_mlc_l40_firmware | 𝑥 ≤ 12 |
| bosch | rexroth_indramotion_mlc_l25_firmware | 𝑥 ≤ 12 |
| bosch | rexroth_indramotion_mlc_l45_firmware | 𝑥 ≤ 12 |
| bosch | rexroth_indramotion_mlc_l65_firmware | 𝑥 ≤ 12 |
| bosch | rexroth_indramotion_mlc_l85_firmware | 𝑥 ≤ 12 |
| bosch | rexroth_indramotion_mlc_xm21_firmware | 𝑥 ≤ 12 |
| bosch | rexroth_indramotion_mlc_xm22_firmware | 𝑥 ≤ 12 |
| bosch | rexroth_indramotion_mlc_xm41_firmware | 𝑥 ≤ 12 |
| bosch | rexroth_indramotion_mlc_xm42_firmware | 𝑥 ≤ 12 |
| bosch | indracontrol_xlc_firmware | 𝑥 ≤ 12 |
| bosch | rexroth_indramotion_mlc_l75_firmware | 𝑥 ≤ 12 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-306 - Missing Authentication for Critical FunctionThe product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.