CVE-2023-37857
3.8
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Summary
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing the attacker to create valid session cookies. These session-cookies created by the attacker are not sufficient to obtain a valid session on the device.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| PHOENIX CONTACT | WP 6070-WVPS | 0 < 4.0.10 | affected |
| PHOENIX CONTACT | WP 6101-WXPS | 0 < 4.0.10 | affected |
| PHOENIX CONTACT | WP 6121-WXPS | 0 < 4.0.10 | affected |
| PHOENIX CONTACT | WP 6156-WHPS | 0 < 4.0.10 | affected |
| PHOENIX CONTACT | WP 6185-WHPS | 0 < 4.0.10 | affected |
| PHOENIX CONTACT | WP 6215-WHPS | 0 < 4.0.10 | affected |
Weaknesses
- CWE-798: CWE-798 Use of Hard-coded Credentials
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.