CVE-2023-38379

EUVD-2023-42196
The web interface on the RIGOL MSO5000 digital oscilloscope with firmware 00.01.03.00.03 allows remote attackers to change the admin password via a zero-length pass0 to the webcontrol changepwd.cgi application, i.e., the entered password only needs to match the first zero characters of the saved password.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
Affected Products (NVD)
VendorProductVersion
rigolmso5000_firmware
00.01.03.00.03
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://news.ycombinator.com/item?id=36745664
https://tortel.li/post/insecure-scope/
https://news.ycombinator.com/item?id=36745664
https://tortel.li/post/insecure-scope/