CVE-2023-53739
9.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Summary
Tinycontrol LAN Controller v3 LK3 version 1.58a contains an unauthenticated vulnerability that allows remote attackers to download configuration backup files containing sensitive credentials. Attackers can retrieve the lk3_settings.bin file and extract base64-encoded user and admin passwords without authentication.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Tinycontrol | Tinycontrol LAN Controller v | <=1.58a | affected |
| Tinycontrol | Tinycontrol LAN Controller v | HW 3.8 | affected |
| Tinycontrol | LK | <=1.58a | affected |
| Tinycontrol | LK | HW 3.8 | affected |
Weaknesses
- CWE-260: CWE-260: Password in Configuration File
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
References
- https://www.exploit-db.com/exploits/51731
- https://www.tinycontrol.pl
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5786.php
- https://www.vulncheck.com/advisories/tinycontrol-lan-controller-v3-lk3-unauthenticated-configuration-backup-disclosure
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.