PT-2023-4196 · Phoenix Contact · Wp 6Xxx Series Web Panels
Gabriele Quagliarella
·
Published
2023-08-08
·
Updated
2023-08-25
·
CVE-2023-3573
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
PHOENIX CONTACTs WP 6xxx series web panels versions prior to 4.0.10
Description
A remote attacker with low privileges may use a command injection in a HTTP POST request related to font configuration operations to gain full access to the device. The vulnerability exists due to the lack of measures to neutralize special elements used in the operating system command. Exploitation of the vulnerability may allow an attacker to gain unauthorized access to the device using a specially crafted POST request.
Recommendations
For versions prior to 4.0.10, update to version 4.0.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the font configuration operations to minimize the risk of exploitation. Avoid using the vulnerable HTTP POST request related to font configuration operations until the issue is resolved.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp 6Xxx Series Web Panels