CVE-2023-45220

Summary

The Android Client application, when enrolled with the define method 1(the user manually inserts the server ip address), use HTTP protocol to retrieve sensitive information (ip address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable by the user.

Affected Software

VendorProductVersion RangeStatus
RexrothctrlX HMI Web Panel - WR21 (WR2107)allaffected
RexrothctrlX HMI Web Panel - WR21 (WR2110)allaffected
RexrothctrlX HMI Web Panel - WR21 (WR2115)allaffected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References