Lucene search

NozomiCVELIST:CVE-2023-6949

HistoryApr 02, 2024 - 10:27 a.m.

CVE-2023-6949

2024-04-0210:27:44

CWE-306

Nozomi

www.cve.org

cve-2023-6949

missing authentication

critical function

http service

dji mavic mini 3 pro

port 80

video download

picture download

drone memory

external memory

CVSS3

5.2

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

5.6

Confidence

High

EPSS

Percentile

9.0%

JSON

A Missing Authentication for Critical Function issue affecting the HTTP service running on the DJI Mavic Mini 3 Pro on the standard port 80 could allow an attacker to enumerate and download videos and pictures saved on the drone internal or external memory without requiring any kind of authentication.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mini 3 Pro",
    "vendor": "DJI",
    "versions": [
      {
        "lessThan": "01.00.1200",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

www.nozominetworks.com/labs/vulnerability-advisories-cve-2023-6949/

CVSS3

5.2

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

5.6

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for CVELIST:CVE-2023-6949