Vulnerability Details : CVE-2023-5935
When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself.
A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed.
Products affected by CVE-2023-5935
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2023-5935
0.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 5 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-5935
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.4
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
1.4
|
5.9
|
Nozomi Networks Inc. | 2024-05-15 |
CWE ids for CVE-2023-5935
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: prodsec@nozominetworks.com (Secondary)
References for CVE-2023-5935
-
https://security.nozominetworks.com/NN-2023:13-01
NN-2023:13-01 - Missing authentication for local web interface in Arc before v1.6.0 - CVE-2023-5935 | Product Security Incident Response Portal
Jump to