CVE-2023-46381

Name of the Vulnerable Software and Affected Versions LOYTEC LINX-151 (affected versions not specified) LOYTEC LINX-212 version 6.2.4 LOYTEC LVIS-3ME12-A1 version 6.2.2 LOYTEC LIOB-586 version 6.2.3 LOYTEC LIOB-580 V2 (affected versions not specified) LOYTEC LIOB-588 (affected versions not specified) L-INX Configurator devices (all versions)

Description The issue concerns a lack of authentication for the preinstalled version of LWEB-802 via an lweb802 pre/ URI. An unauthenticated attacker can edit any project, create a new project, and control its GUI.

Recommendations For LOYTEC LINX-151, restrict access to the lweb802 pre/ URI until a patch is available. For LOYTEC LINX-212 version 6.2.4, consider disabling the LWEB-802 service until a fix is provided. For LOYTEC LVIS-3ME12-A1 version 6.2.2, avoid using the lweb802 pre/ URI in production environments until the issue is resolved. For LOYTEC LIOB-586 version 6.2.3, limit access to the LWEB-802 interface to minimize the risk of exploitation. For LOYTEC LIOB-580 V2, LIOB-588, and L-INX Configurator devices, restrict access to the lweb802 pre/ URI and LWEB-802 service until a patch or fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.