Lucene search

[email protected]CVE-2023-33276

HistoryJun 30, 2023 - 2:15 p.m.

CVE-2023-33276

2023-06-3014:15:09

CWE-79

[email protected]

web.nvd.nist.gov

gira giersiepen

gira knx/ip-router

web interface

404 - not found

xss

security vulnerability

cve-2023-33276

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.5%

JSON

The web interface of Gira Giersiepen Gira KNX/IP-Router 3.1.3683.0 and 3.3.8.0 responds with a “404 - Not Found” status code if a path is accessed that does not exist. However, the value of the path is reflected in the response. As the application will reflect the supplied path without context-sensitive HTML encoding, it is vulnerable to reflective cross-site scripting (XSS).

Affected configurations

NVD

Node

giraknx_ip_router_firmwareMatch3.1.3683.0

giraknx_ip_router_firmwareMatch3.3.8.0

AND

giraknx_ip_routerMatch-

CPENameOperatorVersion
gira:knx_ip_router_firmwaregira knx ip router firmwareeq3.1.3683.0
gira:knx_ip_router_firmwaregira knx ip router firmwareeq3.3.8.0

CPE	Name	Operator	Version
gira:knx_ip_router_firmware	gira knx ip router firmware	eq	3.1.3683.0
gira:knx_ip_router_firmware	gira knx ip router firmware	eq	3.3.8.0

References

www.syss.de/en/responsible-disclosure-policy

www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-016.txt

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.5%

JSON

Related for CVE-2023-33276

nvd1 cvelist1 prion1