CVE-2023-20003 : A vulnerability in the social login configuration option for the guest users of

A vulnerability in the social login configuration option for the guest users of Cisco Business Wireless Access Points (APs) could allow an unauthenticated, adjacent attacker to bypass social login authentication. This vulnerability is due to a logic error with the social login implementation. An attacker could exploit this vulnerability by attempting to authenticate to an affected device. A successful exploit could allow the attacker to access the Guest Portal without authentication.

Published 2023-05-18 03:15:09

Updated 2023-05-26 02:37:25

Source Cisco Systems, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-20003

Cisco » Business 151axm Firmware » Version: 10.4.2
cpe:2.3:o:cisco:business_151axm_firmware:10.4.2:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Business 151axm » Version: N/A
Cisco » Business 140ac Access Point Firmware
Versions before (<) 10.8.1.0
cpe:2.3:o:cisco:business_140ac_access_point_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Business 140ac Access Point » Version: N/A
Cisco » Business 141acm Firmware
Versions before (<) 10.8.1.0
cpe:2.3:o:cisco:business_141acm_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Business 141acm » Version: N/A
Cisco » Business 142acm Firmware
Versions before (<) 10.8.1.0
cpe:2.3:o:cisco:business_142acm_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Business 142acm » Version: N/A
Cisco » Business 143acm Firmware
Versions before (<) 10.8.1.0
cpe:2.3:o:cisco:business_143acm_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Business 143acm » Version: N/A
Cisco » Business 145ac Access Point Firmware
Versions before (<) 10.8.1.0
cpe:2.3:o:cisco:business_145ac_access_point_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Business 145ac Access Point » Version: N/A
Cisco » Business 150ax Access Point Firmware » Version: 10.4.2
cpe:2.3:o:cisco:business_150ax_access_point_firmware:10.4.2:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Business 150ax Access Point » Version: N/A
Cisco » Business 240ac Access Point Firmware
Versions before (<) 10.8.1.0
cpe:2.3:o:cisco:business_240ac_access_point_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Cisco » Business 240ac Access Point » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2023-20003

EPSS FAQ

0.02%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 2 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-20003

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.7	MEDIUM	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N	2.8	1.4	Cisco Systems, Inc.
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: None Integrity: Low Availability: None
8.8	HIGH	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-20003

CWE-288 Authentication Bypass Using an Alternate Path or Channel

The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Assigned by: ykramarz@cisco.com (Secondary)
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-20003

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cbw-auth-bypass-ggnAfdZ

Cisco Business Wireless Access Points Social Login Guest User Authentication Bypass Vulnerability
Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-20003

Products affected by CVE-2023-20003

Exploit prediction scoring system (EPSS) score for CVE-2023-20003

CVSS scores for CVE-2023-20003

CWE ids for CVE-2023-20003

References for CVE-2023-20003