CVE-2024-28134

EUVD-2024-25281

14.05.2024, 16:16

	
		
		
	
	
		
			
				
					

	
		
		
	
	
		


			
				
					An unauthenticated remote attacker can extract a session token with a MitM attack and gain web-based
management access with the privileges of the currently logged in user due to cleartext transmission of sensitive information. No additional user interaction is required. The access is limited as only non-sensitive information can be obtained but the availability can be seriously affected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 55%

Affected Products (NVD)

Vendor	Product	Version
phoenixcontact	charx_sec-3000_firmware	𝑥 ≤ 1.5.1
phoenixcontact	charx_sec-3050_firmware	𝑥 ≤ 1.5.1
phoenixcontact	charx_sec-3100_firmware	𝑥 ≤ 1.5.1
phoenixcontact	charx_sec-3150_firmware	𝑥 ≤ 1.5.1

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
phoenixcontact	charx_sec_3000	𝑥 ≤ 1.5.1	ADP
phoenixcontact	charx_sec_3100	𝑥 ≤ 1.5.1	ADP
phoenixcontact	charx_sec_3150	𝑥 ≤ 1.5.1	ADP
phoenixcontact	charx_sec_3050	𝑥 ≤ 1.5.1	ADP

Common Weakness Enumeration

CWE-319 - Cleartext Transmission of Sensitive Information
The software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

References

https://cert.vde.com/en/advisories/VDE-2024-019