Solar-Log Base 15

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 5.1
  • ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
  • Vendor: Solar-Log
  • Equipment: Base 15
  • Vulnerability: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker obtaining unauthorized access.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Solar-Log Base 15 are affected:

  • Base 15: Firmware 6.0.1 Build 161

3.2 Vulnerability Overview

The affected product is vulnerable to a cross-site scripting attack, which may allow an attacker to bypass access controls and gain unauthorized access.

CVE-2023-46344 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2023-46344. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Multiple
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

CISA discovered a public proof of concept (PoC) as authored by Vincent McRae and Mesut Cetin of Redteamer IT Security and reported it to Solar-Log.

4. MITIGATIONS

Solar-Log has released the following versions for users to dow

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from All CISA Advisories

Read the original article: