CVE-2023-37858

CWE-311 CWE-798 — Hard-coded Credentials3 documents3 sources

Severity

4.9MEDIUM

EPSS

0.0%

top 92.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

12

Phoenix Contact WP 6070-wvps Phoenix Contact WP 6101-wxps Phoenix Contact WP 6121-wxps +9 more

Timeline

PublishedAug 9

Description

In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing to decrypt an encrypted web application login password.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages12 packages

▶CVEListV5phoenix_contact/wp_6070-wvps< 4.0.10

▶CVEListV5phoenix_contact/wp_6101-wxps< 4.0.10

▶CVEListV5phoenix_contact/wp_6121-wxps< 4.0.10

▶CVEListV5phoenix_contact/wp_6156-whps< 4.0.10

▶CVEListV5phoenix_contact/wp_6185-whps< 4.0.10

🔴Vulnerability Details

2

GHSA

GHSA-xhjr-gh4r-f8xr: In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4↗2023-08-09

▶

CVEList

PHOENIX CONTACT: Use of Hard-coded Credentials in WP 6xxx Web panels↗2023-08-09

▶

CVE-2023-37858 (MEDIUM CVSS 4.9) | In PHOENIX CONTACTs WP 6xxx series | cvebase.io