CVE-2023-25912

Webreport disclosure to unauthorized actor in Danfoss AK-EM 100

CVE

CVE-2023-25912

Title

Webreport disclosure to unauthorized actor in Danfoss AK-EM 100

Credits

Jony Schats (HackDefense) (finder)
Stan Plasmeijer (HackDefense) (finder)
Max van der Horst (DIVD) (analyst)

Affected products

Product	Affected	Unaffected	Unknown
Danfoss AK-EM 100	>= < 2.2.0.12 to < 2.2.0.12 (2.x.y.z)
Danfoss AK-EM 100		everything else

CVSS

Base score: 5 (MEDIUM)

References

https://divd.nl/cves/CVE-2023-25912 ( issue-tracking, third-party-advisory )
https://csirt.divd.nl/DIVD-2023-00021 ( third-party-advisory )

Problem type(s)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Date published

Last modified

Description

The webreport generation feature in the Danfoss AK-EM 100 allows an unauthorized actor to generate a web report that discloses sensitive information such as the internal IP address, usernames and internal device values.

Workaround(s)

The AK-EM 100 has been declared End of Life (EOL). Danfoss advises phasing out this type of device.

JSON version.

DIVD CSIRT

CVE-2023-25912

Webreport disclosure to unauthorized actor in Danfoss AK-EM 100

Description

Workaround(s)