PT-2022-3462 · Open Automation · Open Automation Software Oas Platform
Jared Rittle
·
Published
2022-05-25
·
Updated
2023-07-26
·
CVE-2022-26303
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
Open Automation Software OAS Platform version V16.00.0112
Description
The issue concerns the OAS Engine SecureAddUser functionality, where a lack of authentication check for a critical function can be exploited. An attacker can send a specially-crafted series of network requests to create an OAS user account, potentially leading to unauthorized system access.
Recommendations
For Open Automation Software OAS Platform version V16.00.0112, consider disabling the SecureAddUser functionality until a patch is available to prevent exploitation. Restrict access to the OAS Engine to minimize the risk of unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Open Automation Software Oas Platform