CVE-2023-42796

Name of the Vulnerable Software and Affected Versions CP-8031 MASTER MODULE versions prior to CPCI85 V05.11 CP-8050 MASTER MODULE versions prior to CPCI85 V05.11

Description A vulnerability has been identified in the web server of the affected devices, which fails to properly sanitize user input for the "/sicweb-ajax/tmproot/" endpoint. This could allow an authenticated remote attacker to traverse directories on the system and download arbitrary files. The vulnerability could potentially be leveraged to escalate privileges to the administrator role by exploring active session IDs.

Recommendations For CP-8031 MASTER MODULE versions prior to CPCI85 V05.11, update to version CPCI85 V05.11 or later to resolve the issue. For CP-8050 MASTER MODULE versions prior to CPCI85 V05.11, update to version CPCI85 V05.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/sicweb-ajax/tmproot/" endpoint until a patch is available.