Lucene search

SiemensCVELIST:CVE-2023-31238

HistoryJun 13, 2023 - 8:17 a.m.

CVE-2023-31238

2023-06-1308:17:13

CWE-732

siemens

www.cve.org

vulnerability

power meter sicam q100

session token hijacking

default settings

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.6%

JSON

A vulnerability has been identified in POWER METER SICAM Q100 (All versions < V2.60), POWER METER SICAM Q100 (All versions < V2.60), POWER METER SICAM Q100 (All versions < V2.60), POWER METER SICAM Q100 (All versions < V2.60). Affected devices are missing cookie protection flags when using the default settings. An attacker who gains access to a session token can use it to impersonate a legitimate application user.

CNA Affected

[
  {
    "vendor": "Siemens",
    "product": "POWER METER SICAM Q100",
    "versions": [
      {
        "version": "All versions < V2.60",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "POWER METER SICAM Q100",
    "versions": [
      {
        "version": "All versions < V2.60",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "POWER METER SICAM Q100",
    "versions": [
      {
        "version": "All versions < V2.60",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  },
  {
    "vendor": "Siemens",
    "product": "POWER METER SICAM Q100",
    "versions": [
      {
        "version": "All versions < V2.60",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

cert-portal.siemens.com/productcert/pdf/ssa-480095.pdf

cert-portal.siemens.com/productcert/pdf/ssa-887249.pdf