Vuforia Studio Security Vulnerabilities

CVE-2023-24476

An attacker with local access to the machine could record the traffic,which could allow them to resend requests without the serverauthenticating that the user or session are valid.

CVE-2023-27881

A user could use the “Upload Resource” functionality to upload files to any location on the disk.

CVE-2023-29152

By changing the filename parameter in the request, an attacker coulddelete any file with the permissions of the Vuforia server account.

CVE-2023-29168

The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication.

CVE-2023-29502

Before importing a project into Vuforia, a user could modify the“resourceDirectory” attribute in the appConfig.json file to be adifferent path.

CVE-2023-31200

PTC Vuforia Studio does not require a token; this could allow anattacker with local access to perform a cross-site request forgeryattack or a replay attack.