Vulnerability Details : CVE-2023-31245
Devices using Snap One OvrC cloud are sent to a web address when accessing a web management interface using a HTTP connection. Attackers could impersonate a device and supply malicious information about the device’s web server interface. By supplying malicious parameters, an attacker could redirect the user to arbitrary and dangerous locations on the web.
Vulnerability category: Open redirect
Products affected by CVE-2023-31245
- cpe:2.3:a:snapone:orvc:*:*:*:*:*:pro:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-31245
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-31245
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.1
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |
2.8
|
3.7
|
ICS-CERT | |
6.1
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
2.8
|
2.7
|
NIST |
CWE ids for CVE-2023-31245
-
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.Assigned by: ics-cert@hq.dhs.gov (Primary)
References for CVE-2023-31245
-
https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-p.pdf
Release Notes
-
https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01
Snap One OvrC Cloud | CISAThird Party Advisory;US Government Resource
Jump to