CVE-2023-29152 : By changing the filename parameter in the request, an attacker could delete any

By changing the filename parameter in the request, an attacker could delete any file with the permissions of the Vuforia server account.

Published 2023-06-07 22:15:10

Updated 2023-06-15 19:03:38

Source ICS-CERT

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2023-29152

PTC » Vuforia Studio
Versions before (<) 9.9
cpe:2.3:a:ptc:vuforia_studio:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 27 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.2	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:N/A:H	1.7	4.0	ICS-CERT
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Changed Confidentiality: None Integrity: None Availability: High
8.1	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H	2.8	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: High

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: ics-cert@hq.dhs.gov (Secondary)

Jump to