CVE-2023-37858

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-37858
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing to decrypt an encrypted web application login password.

4.9 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://cert.vde.com/en/advisories/VDE-2023-018/ Third Party Advisory
https://cert.vde.com/en/advisories/VDE-2023-018/ Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:phoenixcontact:wp_6070-wvps_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:phoenixcontact:wp_6070-wvps:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:phoenixcontact:wp_6101-wxps_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:phoenixcontact:wp_6101-wxps:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:phoenixcontact:wp_6121-wxps_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:phoenixcontact:wp_6121-wxps:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:phoenixcontact:wp_6156-whps_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:phoenixcontact:wp_6156-whps:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:phoenixcontact:wp_6185-whps_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:phoenixcontact:wp_6185-whps:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:phoenixcontact:wp_6215-whps_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:phoenixcontact:wp_6215-whps:-:*:*:*:*:*:*:*
History

21 Nov 2024, 08:12

Type Values Removed Values Added
References () https://cert.vde.com/en/advisories/VDE-2023-018/ - Third Party Advisory () https://cert.vde.com/en/advisories/VDE-2023-018/ - Third Party Advisory

15 Aug 2023, 17:14

Type Values Removed Values Added
First Time Phoenixcontact wp 6101-wxps
Phoenixcontact wp 6070-wvps
Phoenixcontact wp 6156-whps
Phoenixcontact wp 6121-wxps
Phoenixcontact wp 6185-whps Firmware
Phoenixcontact wp 6185-whps
Phoenixcontact wp 6101-wxps Firmware
Phoenixcontact
Phoenixcontact wp 6121-wxps Firmware
Phoenixcontact wp 6215-whps Firmware
Phoenixcontact wp 6215-whps
Phoenixcontact wp 6156-whps Firmware
Phoenixcontact wp 6070-wvps Firmware
CVSS v2 : unknown
v3 : 3.8 		v2 : unknown
v3 : 4.9
References (MISC) https://cert.vde.com/en/advisories/VDE-2023-018/ - (MISC) https://cert.vde.com/en/advisories/VDE-2023-018/ - Third Party Advisory
CPE cpe:2.3:o:phoenixcontact:wp_6121-wxps_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:phoenixcontact:wp_6070-wvps_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:phoenixcontact:wp_6185-whps_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:phoenixcontact:wp_6215-whps_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:phoenixcontact:wp_6121-wxps:-:*:*:*:*:*:*:*
cpe:2.3:o:phoenixcontact:wp_6156-whps_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:phoenixcontact:wp_6070-wvps:-:*:*:*:*:*:*:*
cpe:2.3:h:phoenixcontact:wp_6156-whps:-:*:*:*:*:*:*:*
cpe:2.3:o:phoenixcontact:wp_6101-wxps_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:phoenixcontact:wp_6185-whps:-:*:*:*:*:*:*:*
cpe:2.3:h:phoenixcontact:wp_6215-whps:-:*:*:*:*:*:*:*
cpe:2.3:h:phoenixcontact:wp_6101-wxps:-:*:*:*:*:*:*:*
CWE CWE-798 CWE-311

09 Aug 2023, 07:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-08-09 07:15

Updated : 2024-11-21 08:12

NVD link : CVE-2023-37858

Mitre link : CVE-2023-37858

CVE.ORG link : CVE-2023-37858

JSON object : View

Products Affected

phoenixcontact

  • wp_6101-wxps
  • wp_6156-whps
  • wp_6185-whps_firmware
  • wp_6215-whps_firmware
  • wp_6070-wvps_firmware
  • wp_6215-whps
  • wp_6121-wxps
  • wp_6121-wxps_firmware
  • wp_6185-whps
  • wp_6101-wxps_firmware
  • wp_6070-wvps
  • wp_6156-whps_firmware
CWE
CWE-311

Missing Encryption of Sensitive Data