VDE-2023-045 | CERT@VDE

2023-12-05 08:00 (CET) VDE-2023-045

Wago: Vulnerability in Smart Designer Web-Application

Share: Email | Twitter

ID

VDE-2023-045

Published

2023-12-05 08:00 (CET)

Last update

2023-12-04 08:42 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No°	Product Name	Affected Version(s)
	Smart Designer	<= 2.33.1

Summary

An attacker with privileges can enumerate projects and usernames through an iterative process, by making a request to a specific endpoint.

CVE ID

CVE-2023-5872

Last Update:

31. Oktober 2023 08:32

Severity

4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Weakness

Observable Discrepancy (CWE-203)

Summary

In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint.

Details

cert.vde.com

Impact

The vulnerability might result in disclosure of sensitive information.

Solution

Remediation

A patch for the WAGO Smart Designer will be available with version 2.34.

Reported by

The vulnerability was reported by Brett Dewall from White Oak Security.

Coordination done by CERT@VDE.