CVE-2023-45852

CRITICAL

9.8

Description

In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method.

Details CVE

Score CVSS v3.19.8

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie10/14/2023

Derniere modification11/21/2024

Sourcenvd

Observations honeypot0

Produits affectes

viessmann:vitogate_300viessmann:vitogate_300_firmware

Faiblesses (CWE)

CWE-77

References

https://connectivity.viessmann.com/gb/mp-fp/vitogate/vitogate-300-bn-mb.html(cve@mitre.org)

https://github.com/Push3AX/vul/blob/main/viessmann/Vitogate300_RCE.md(cve@mitre.org)

https://connectivity.viessmann.com/gb/mp-fp/vitogate/vitogate-300-bn-mb.html(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/Push3AX/vul/blob/main/viessmann/Vitogate300_RCE.md(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.