Lucene search

[email protected]NVD:CVE-2023-28361

HistoryMay 11, 2023 - 10:15 p.m.

CVE-2023-28361

2023-05-1122:15:10

CWE-352

[email protected]

web.nvd.nist.gov

cross-site websocket hijacking

unifi os

confidential information

malicious webpage

cloud key gen2

unvr

udm

udr

update

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

6.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.0%

JSON

A Cross-site WebSocket Hijacking (CSWSH) vulnerability found in UniFi OS 2.5 and earlier allows a malicious actor to access certain confidential information by persuading a UniFi OS user to visit a malicious webpage.Affected Products:Cloud Key Gen2Cloud Key Gen2 PlusUNVRUNVR ProfessionalUDMUDM ProfessionalUDM SEUDRMitigation:Update affected products to UniFi OS 3.0.13 or later.

Affected configurations

NVD

Node

unicloud_key_gen2Match-

unicloud_key_gen2_plusMatch-

uniubiquiti_networks_unifi_dream_machineMatch-

uniubiquiti_networks_unifi_dream_machine_professionalMatch-

uniubiquiti_networks_unifi_dream_machine_seMatch-

uniunifi_dream_routerMatch-

uniunifi_protect_network_video_recorderMatch-

uniunifi_protect_network_video_recorder_professionalMatch-

AND

uniunifi_osRange<3.0.13

References

community.ui.com/releases/Security-Advisory-Bulletin-030-030/f9de9e65-585f-4c66-81e9-5d8f54ba66dd

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

6.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.0%

JSON

Related for NVD:CVE-2023-28361

cvelist1 prion1 cve1