CVE-2023-31240

Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. OvrC cloud contains a hidden superuser account accessible through hard-coded credentials.
Configurations

Configuration 1 (hide)

cpe:2.3:a:snapone:orvc:*:*:*:*:*:pro:*:*

History

31 May 2023, 14:45

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
First Time Snapone
Snapone orvc
CPE cpe:2.3:a:snapone:orvc:*:*:*:*:*:pro:*:*
References (MISC) https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-r.pdf - (MISC) https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-r.pdf - Release Notes
References (MISC) https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01 - (MISC) https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01 - Third Party Advisory, US Government Resource

Information

Published : 2023-05-22 20:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-31240

Mitre link : CVE-2023-31240

CVE.ORG link : CVE-2023-31240


JSON object : View

Products Affected

snapone

  • orvc
CWE
CWE-798

Use of Hard-coded Credentials