CVE-2023-23912 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.8 HIGH	ADJACENT_NETWORK	LOW	NONE	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
hackerone	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	8.8 HIGH	ADJACENT_NETWORK	LOW	NONE	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 81%

Vendor	Product	Version
ui	usg_firmware	𝑥 < 4.4.57
ui	usg-pro-4_firmware	𝑥 < 4.4.57
ui	er-10x_firmware	𝑥 < 2.0.9
ui	er-10x_firmware	2.0.9
ui	er-10x_firmware	2.0.9:hotfix2
ui	er-10x_firmware	2.0.9:hotfix4
ui	er-10x_firmware	2.0.9:hotfix5
ui	er-12_firmware	𝑥 < 2.0.9
ui	er-12_firmware	2.0.9
ui	er-12_firmware	2.0.9:hotfix2
ui	er-12_firmware	2.0.9:hotfix4
ui	er-12_firmware	2.0.9:hotfix5
ui	er-12p_firmware	𝑥 < 2.0.9
ui	er-12p_firmware	2.0.9
ui	er-12p_firmware	2.0.9:hotfix2
ui	er-12p_firmware	2.0.9:hotfix4
ui	er-12p_firmware	2.0.9:hotfix5
ui	er-4_firmware	𝑥 < 2.0.9
ui	er-4_firmware	2.0.9
ui	er-4_firmware	2.0.9:hotfix2
ui	er-4_firmware	2.0.9:hotfix4
ui	er-4_firmware	2.0.9:hotfix5
ui	er-6p_firmware	𝑥 < 2.0.9
ui	er-6p_firmware	2.0.9
ui	er-6p_firmware	2.0.9:hotfix2
ui	er-6p_firmware	2.0.9:hotfix4
ui	er-6p_firmware	2.0.9:hotfix5
ui	er-8-xg_firmware	𝑥 < 2.0.9
ui	er-8-xg_firmware	2.0.9
ui	er-8-xg_firmware	2.0.9:hotfix2
ui	er-8-xg_firmware	2.0.9:hotfix4
ui	er-8-xg_firmware	2.0.9:hotfix5
ui	er-x_firmware	𝑥 < 2.0.9
ui	er-x_firmware	2.0.9
ui	er-x_firmware	2.0.9:hotfix2
ui	er-x_firmware	2.0.9:hotfix4
ui	er-x_firmware	2.0.9:hotfix5
ui	er-x-sfp_firmware	𝑥 < 2.0.9
ui	er-x-sfp_firmware	2.0.9
ui	er-x-sfp_firmware	2.0.9:hotfix2
ui	er-x-sfp_firmware	2.0.9:hotfix4
ui	er-x-sfp_firmware	2.0.9:hotfix5

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-75 - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
The software does not adequately filter user-controlled input for special elements with control implications.
CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

https://community.ui.com/releases/Security-Advisory-Bulletin-028-028/696e4e3b-718c-4da4-9a21-965a85633b5f

https://community.ui.com/releases/Security-Advisory-Bulletin-028-028/696e4e3b-718c-4da4-9a21-965a85633b5f