CVE-2023-2625
9
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
A vulnerability exists that can be exploited by an authenticated client that is connected to the same network segment as the CoreTec 4, having any level of access VIEWER to ADMIN. To exploit the vulnerability the attacker can inject shell commands through a particular field of the web user interface that will be executed by the system.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Hitachi Energy | TXpert Hub CoreTec 4 | TXpert Hub CoreTec 4 version 2.0.* | affected |
| Hitachi Energy | TXpert Hub CoreTec 4 | TXpert Hub CoreTec 4 version 2.1.* | affected |
| Hitachi Energy | TXpert Hub CoreTec 4 | TXpert Hub CoreTec 4 version 2.2.* | affected |
| Hitachi Energy | TXpert Hub CoreTec 4 | TXpert Hub CoreTec 4 version 2.3.* | affected |
| Hitachi Energy | TXpert Hub CoreTec 4 | TXpert Hub CoreTec 4 version 2.4.* | affected |
| Hitachi Energy | TXpert Hub CoreTec 4 | TXpert Hub CoreTec 4 version 3.0.1 | unaffected |
Weaknesses
- CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Workarounds
Apply mitigation as described in the cybersecurity advisory Mitigation Factors/Workarounds Section.
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.