Lucene search

IcscertVULNRICHMENT:CVE-2023-38255

HistorySep 18, 2023 - 8:08 p.m.

CVE-2023-38255 Socomec MOD3GP-SY-120K Cross-site Scripting

2023-09-1820:08:05

CWE-79

icscert

github.com

cve-2023-38255

socomec

mod3gp-sy-120k

cross-site scripting

device configuration

cookie theft

malicious code

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

28.0%

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

JSON

A potential attacker with or without (cookie theft) access to the device would be able to include malicious code (XSS) when uploading new device configuration that could affect the intended function of the device.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:o:socomec:modulys_gp_firmware:01.12.10:*:*:*:*:*:*:*"
    ],
    "vendor": "socomec",
    "product": "modulys_gp_firmware",
    "versions": [
      {
        "status": "affected",
        "version": "01.12.10"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

www.cisa.gov/news-events/ics-advisories/icsa-23-250-03

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

6.6

Confidence

High

EPSS

0.001

Percentile

28.0%

SSVC

Exploitation

none

Automatable

yes

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2023-38255