VDE-2023-041

Vulnerability from csaf_mbconnectlinegmbh - Published: 2023-10-16 08:38 - Updated: 2023-10-16 08:38
Summary
MB connect line: Vulnerability allows access to non-critical information in mbCONNECT24 and mymbCONNECT24
Severity
Medium
Notes
Summary: In Red Lion Europe mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an improperly implemented access validation allows an authenticated, low privileged attacker to gain read access to limited, non-critical device information in his account he should not have access to.
Impact: An authenticated, low privileged attacker can gain read access to limited, non-critical device information in his account he should not have access to.
Remediation: Update to latest Version 2.14.3
CVE-2023-4834

In Red Lion Europe mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an improperly implemented access validation allows an authenticated, low privileged attacker to gain read access to limited, non-critical device information in his account he should not have access to.

4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-269 - Improper Privilege Management
Vendor Fix Update to latest Version 2.14.3
References
Acknowledgments
CERT@VDE certvde.com
OTORIO
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "organization": "OTORIO",
        "summary": "reporting"
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
      "text": "Medium"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "In Red Lion Europe\u00a0mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an\u00a0improperly implemented access validation allows an authenticated, low privileged\u00a0attacker to gain read access to limited, non-critical device information in his account he should not have access to.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "An authenticated, low privileged attacker can gain read access to limited, non-critical device information in his account he should not have access to.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Update to latest Version 2.14.3",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "security-team@mbconnectline.de",
      "name": "MB connect line GmbH",
      "namespace": "https://mbconnectline.com"
    },
    "references": [
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for MB connect line GmbH",
        "url": "https://certvde.com/en/advisories/vendor/mbconnectline"
      },
      {
        "category": "self",
        "summary": "VDE-2023-041: MB connect line: Vulnerability allows access to non-critical information in mbCONNECT24 and mymbCONNECT24 - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2023-041/"
      },
      {
        "category": "self",
        "summary": "VDE-2023-041: MB connect line: Vulnerability allows access to non-critical information in mbCONNECT24 and mymbCONNECT24 - CSAF",
        "url": "https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-041.json"
      },
      {
        "category": "external",
        "summary": "MB connect line Security Advice",
        "url": "https://mbconnectline.com/security-advice/"
      }
    ],
    "title": "MB connect line: Vulnerability allows access to non-critical information in mbCONNECT24 and mymbCONNECT24",
    "tracking": {
      "aliases": [
        "VDE-2023-041"
      ],
      "current_release_date": "2023-10-16T08:38:00.000Z",
      "generator": {
        "date": "2025-06-25T06:20:08.262Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.28"
        }
      },
      "id": "VDE-2023-041",
      "initial_release_date": "2023-10-16T08:38:00.000Z",
      "revision_history": [
        {
          "date": "2023-10-16T08:38:00.000Z",
          "number": "1.0.0",
          "summary": "Initial revision."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c=2.14.2",
                    "product": {
                      "name": "mbCONNECT24 \u003c=2.14.2",
                      "product_id": "CSAFPID-51003"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "2.14.3",
                    "product": {
                      "name": "mbCONNECT24 2.14.3",
                      "product_id": "CSAFPID-52003"
                    }
                  }
                ],
                "category": "product_name",
                "name": "mbCONNECT24"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "\u003c=2.14.2",
                    "product": {
                      "name": "mymbCONNECT24 \u003c=2.14.2",
                      "product_id": "CSAFPID-51004"
                    }
                  },
                  {
                    "category": "product_version",
                    "name": "2.14.3",
                    "product": {
                      "name": "mymbCONNECT24 2.14.3",
                      "product_id": "CSAFPID-52004"
                    }
                  }
                ],
                "category": "product_name",
                "name": "mymbCONNECT24"
              }
            ],
            "category": "product_family",
            "name": "Software"
          }
        ],
        "category": "vendor",
        "name": "MB connect line"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-51003",
          "CSAFPID-51004"
        ],
        "summary": "Affected products "
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-52003",
          "CSAFPID-52004"
        ],
        "summary": "Fixed products"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-4834",
      "cwe": {
        "id": "CWE-269",
        "name": "Improper Privilege Management"
      },
      "notes": [
        {
          "category": "description",
          "text": "In Red Lion Europe\u00a0mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an\u00a0improperly implemented access validation allows an authenticated, low privileged\u00a0attacker to gain read access to limited, non-critical device information in his account he should not have access to.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-51003",
          "CSAFPID-51004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update to latest Version 2.14.3",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "environmentalScore": 4.3,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 4.3,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-51003",
            "CSAFPID-51004"
          ]
        }
      ],
      "title": "CVE-2023-4834"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.