CVE-2023-3572

CWE-78 — OS Command Injection3 documents3 sources

Severity

9.9CRITICAL

EPSS

0.7%

top 27.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

12

Phoenix Contact WP 6070-wvps Phoenix Contact WP 6101-wxps Phoenix Contact WP 6121-wxps +9 more

Timeline

PublishedAug 8

Description

In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote, unauthenticated attacker may use an attribute of a specific HTTP POST request releated to date/time operations to gain full access to the device.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages12 packages

▶CVEListV5phoenix_contact/wp_6070-wvps< 4.0.10

▶CVEListV5phoenix_contact/wp_6101-wxps< 4.0.10

▶CVEListV5phoenix_contact/wp_6121-wxps< 4.0.10

▶CVEListV5phoenix_contact/wp_6156-whps< 4.0.10

▶CVEListV5phoenix_contact/wp_6185-whps< 4.0.10

🔴Vulnerability Details

2

CVEList

PHOENIX CONTACT: OS Command Injection in WP 6xxx Web panels↗2023-08-08

▶

GHSA

GHSA-rjhg-p5wh-jhmf: In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4↗2023-08-08

▶

CVE-2023-3572 (CRITICAL CVSS 9.9) | In PHOENIX CONTACTs WP 6xxx series | cvebase.io