Vulnerability Details : CVE-2023-23450
Use of Password Hash Instead of Password for Authentication in SICK FTMg AIR
FLOW SENSOR with Partnumbers 1100214, 1100215, 1100216, 1120114, 1120116, 1122524, 1122526
allows an unprivileged remote attacker to use a password hash instead of an actual password to login
to a valid user account via the REST interface.
Vulnerability category: BypassGain privilege
Products affected by CVE-2023-23450
- cpe:2.3:o:sick:ftmg-esd20axx_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sick:ftmg-esd25axx_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sick:ftmg-esn40sxx_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sick:ftmg-esn50sxx_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sick:ftmg-esr50sxx_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sick:ftmg-esr40sxx_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:sick:ftmg-esd15axx_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-23450
0.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-23450
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
6.2
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.5
|
3.6
|
SICK AG |
CWE ids for CVE-2023-23450
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
-
The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store.Assigned by: psirt@sick.de (Secondary)
References for CVE-2023-23450
-
https://sick.com/.well-known/csaf/white/2023/sca-2023-0004.pdf
Vendor Advisory
-
https://sick.com/psirt
The SICK Product Security Incident Response Team (SICK PSIRT) | SICKVendor Advisory
-
https://sick.com/.well-known/csaf/white/2023/sca-2023-0004.json
Vendor Advisory
Jump to