CVE-2023-4667

Summary

The web interface of the PAC Device allows the device administrator user profile to store malicious scripts in some fields. The stored malicious script is then executed when the GUI is opened by any users of the webserver administration interface. 

The root cause of the vulnerability is inadequate input validation and output encoding in the web administration interface component of the firmware.

This could lead to  unauthorized access and data leakage

Affected Software

VendorProductVersion RangeStatus
IDEMIASIGMA Lite & Lite +0affected
IDEMIASIGMA Wide0affected
IDEMIASIGMA Extreme0affected
IDEMIAMorphoWave Compact/XP0affected
IDEMIAVisionPass0affected
IDEMIAMorphoWave SP0affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References