CVE-2023-7328
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
Screen SFT DAB 600/C firmware versions up to and including 1.9.3 contain an improper access control on the user management API allows unauthenticated requests to retrieve structured user data, including account names and connection metadata such as client IP and timeout values.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| DB Elettronica Telecomunicazioni SpA | Screen SFT DAB 600/C | 0 <= 1.9.3 | affected |
Weaknesses
- CWE-306: CWE-306 Missing Authentication for Critical Function
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
- https://www.exploit-db.com/exploits/51460
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php
References
- https://www.exploit-db.com/exploits/51460
- https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php
- https://packetstormsecurity.com/files/172332/
- https://www.vulncheck.com/advisories/screen-sft-dab-600c-unauthenticated-information-disclosure
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.