CVE-2023-45220

The Android Client application, when enrolled with the define method 1(the user manually inserts the server ip address), use HTTP protocol to retrieve  sensitive information (ip address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable by the user.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
boschrexrothctrlx_hmi_web_panel_wr2107_firmware
*
boschrexrothctrlx_hmi_web_panel_wr2110_firmware
*
boschrexrothctrlx_hmi_web_panel_wr2115_firmware
*
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
boschrexrothctrlx_hmi_web_panel_wr2107
𝑥
< RC7(Build date 20231107)
ADP
Common Weakness Enumeration
References
https://psirt.bosch.com/security-advisories/BOSCH-SA-175607.html
https://psirt.bosch.com/security-advisories/BOSCH-SA-175607.html