CVE-2023-25912 - Webreport disclosure to unauthorized actor in Danfoss AK-EM 100

CVE

CVE-2023-25912

Discovered by

Jony Schats and Stan Plasmeijer (HackDefense)

Credits

Jony Schats (HackDefense)
Stan Plasmeijer (HackDefense)
Max van der Horst (DIVD)

Affected products

Product	Affected	Unaffected	Unknown
Danfoss AK-EM 100	>= 2.x.y.z < 2.2.0.12 to < 2.2.0.12
Danfoss AK-EM 100		everything else

Page author

Max van der Horst

CVSS

Base score: 5 (MEDIUM)

References

https://divd.nl/cves/CVE-2023-25912 ( issue-tracking, third-party-advisory )
https://csirt.divd.nl/DIVD-2023-00021 ( third-party-advisory )

Problem type(s)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Last modified

25 May 2023 17:58

Description

The webreport generation feature in the Danfoss AK-EM 100 allows an unauthorized actor to generate a web report that discloses sensitive information such as the internal IP address, usernames and internal device values.

JSON version

DIVD CSIRT

CVE-2023-25912 - Webreport disclosure to unauthorized actor in Danfoss AK-EM 100

Description