CVE-2023-35134

Summary

Weintek Weincloud v0.13.6

could allow an attacker to reset a password with the corresponding account’s JWT token only.

Affected Software

VendorProductVersion RangeStatus
WeintekWeincloud0 <= 0.13.6affected

Weaknesses

  • CWE-640: CWE-640 Weak Password Recovery Mechanism for Forgotten Password

Workarounds

​Additional mitigations are recommended to help reduce risk:

  • ​Log in on trusted computers if possible. Log out after usage on un-trusted ones.
  • ​On the HMIs, if the online services are not used, set to offline mode for EasyAccess 2.0 or Dashboard services using system reserved addresses.
  • ​Regularly change passwords to reduce risks.
  • ​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible- only applicable devices and/or systems have access to the internet.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References