Share: Email | Twitter

ID

VDE-2023-045

Published

2023-12-05 08:00 (CET)

Last update

2023-12-04 08:42 (CET)

Vendor(s)

WAGO GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
Smart Designer <= 2.33.1

Summary

An attacker with privileges can enumerate projects and usernames through an iterative process, by making a request to a specific endpoint.


Last Update:

Oct. 31, 2023, 8:32 a.m.

Weakness

Observable Discrepancy  (CWE-203) 

Summary

In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint.


Impact

The vulnerability might result in disclosure of sensitive information.

Solution

Remediation

A patch for the WAGO Smart Designer will be available with version 2.34. 

Reported by

The vulnerability was reported by Brett Dewall from White Oak Security.

Coordination done by CERT@VDE.