CVE-2023-37857

Description

In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing the attacker to create valid session cookies. This issue cannot be exploited to bypass the web service authentication of the affected device(s).

Related CPE's

ophoenixcontactwp_6070-wvps_firmware********

hphoenixcontactwp_6070-wvps-*******

ophoenixcontactwp_6101-wxps_firmware********

hphoenixcontactwp_6101-wxps-*******

ophoenixcontactwp_6121-wxps_firmware********

hphoenixcontactwp_6121-wxps-*******

ophoenixcontactwp_6156-whps_firmware********

hphoenixcontactwp_6156-whps-*******

ophoenixcontactwp_6185-whps_firmware********

hphoenixcontactwp_6185-whps-*******

References

https://cert.vde.com/en/advisories/VDE-2023-018/

Third Party Advisory

CvssV3 impact

Could not find any metrics

CvssV2 impact

Could not find any metrics
Created by Yello
About Severity.io