CVE-2023-3305

18.06.2023, 08:15

A vulnerability was found in C-DATA Web Management System up to 20230607. It has been classified as critical. This affects an unknown part of the file /cgi-bin/jumpto.php?class=user&page=config_save&isphp=1 of the component User Creation Handler. The manipulation of the argument user/newpassword leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-231801 was assigned to this vulnerability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.3 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
VulDB	CNA	7.3 HIGH				CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Vendor	Product	Version
cdatatec	web_management_system	𝑥 ≤ 20230607

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-284 - Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://github.com/sleepyvv/vul_report/blob/main/C-data/BrokenAccessControl.md

https://vuldb.com/?ctiid.231801

https://vuldb.com/?id.231801

https://github.com/sleepyvv/vul_report/blob/main/C-data/BrokenAccessControl.md

https://vuldb.com/?ctiid.231801

https://vuldb.com/?id.231801