PT-2023-15102 · Vocera · Vocera Voice Server+2
Published
2023-07-25
·
Updated
2023-08-01
·
CVE-2022-46901
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Vocera Report Server and Voice Server versions 5.x through 5.8
Description
An issue was discovered that allows for an Access Control Violation for Database Operations. The Vocera Report Console contains a websocket interface that permits the unauthenticated execution of various tasks and database functions, including system tasks, and backing up, loading, and clearing of the database.
Recommendations
For versions 5.x through 5.8, consider disabling the websocket interface in the Vocera Report Console until a patch is available to prevent unauthenticated execution of tasks and database functions.
Restrict access to the Vocera Report Console to minimize the risk of exploitation.
Avoid using the websocket interface for database operations until the issue is resolved.
Fix
Exposure of Resource to Wrong Sphere
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vocera Report Console
Vocera Report Server
Vocera Voice Server