1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Delta Electronics
- Equipment: InfraSuite Device Master
- Vulnerabilities: Path Traversal, Deserialization of Untrusted Data, Exposed Dangerous Method or Function.
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to remotely execute arbitrary code and obtain plaintext credentials.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Delta Electronics products are affected:
- InfraSuite Device Master: Versions 1.0.7 and prior
3.2 Vulnerability Overview
3.2.1 PATH TRAVERSAL CWE-35
In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an attacker to write to any file to any location of the filesystem, which could lead to remote code execution.
CVE-2023-46690 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502
In Delta Electronics InfraSuite Device Master v.1.0.7, a vulnerability exists that allows an unauthenticated attacker to execute code with local administrator privileges.
CVE-2023-47207 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.3 […]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: