CVE-2023-37858

In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing to decrypt an encrypted web application login password.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cert.vde.com/en/advisories/VDE-2023-018/	Third Party Advisory
https://cert.vde.com/en/advisories/VDE-2023-018/	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:phoenixcontact:wp_6070-wvps_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:wp_6070-wvps:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:phoenixcontact:wp_6101-wxps_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:wp_6101-wxps:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:phoenixcontact:wp_6121-wxps_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:wp_6121-wxps:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:phoenixcontact:wp_6156-whps_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:wp_6156-whps:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:phoenixcontact:wp_6185-whps_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:wp_6185-whps:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:phoenixcontact:wp_6215-whps_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:phoenixcontact:wp_6215-whps:-:*:*:*:*:*:*:*

History

21 Nov 2024, 08:12

Type	Values Removed	Values Added
References	~~() https://cert.vde.com/en/advisories/VDE-2023-018/ - Third Party Advisory~~	() https://cert.vde.com/en/advisories/VDE-2023-018/ - Third Party Advisory

15 Aug 2023, 17:14

Type	Values Removed	Values Added
First Time		Phoenixcontact Phoenixcontact wp 6101-wxps Firmware Phoenixcontact wp 6070-wvps Phoenixcontact wp 6215-whps Phoenixcontact wp 6215-whps Firmware Phoenixcontact wp 6185-whps Firmware Phoenixcontact wp 6121-wxps Firmware Phoenixcontact wp 6156-whps Phoenixcontact wp 6185-whps Phoenixcontact wp 6121-wxps Phoenixcontact wp 6101-wxps Phoenixcontact wp 6156-whps Firmware Phoenixcontact wp 6070-wvps Firmware
CWE	~~CWE-798~~	CWE-311
CPE		cpe:2.3:o:phoenixcontact:wp_6121-wxps_firmware:::::::: cpe:2.3:h:phoenixcontact:wp_6215-whps:-:::::::* cpe:2.3:o:phoenixcontact:wp_6156-whps_firmware:::::::: cpe:2.3:o:phoenixcontact:wp_6070-wvps_firmware:::::::: cpe:2.3:h:phoenixcontact:wp_6185-whps:-:::::::* cpe:2.3:o:phoenixcontact:wp_6101-wxps_firmware:::::::: cpe:2.3:h:phoenixcontact:wp_6070-wvps:-:::::::* cpe:2.3:h:phoenixcontact:wp_6156-whps:-:::::::* cpe:2.3:h:phoenixcontact:wp_6121-wxps:-:::::::* cpe:2.3:o:phoenixcontact:wp_6185-whps_firmware:::::::: cpe:2.3:o:phoenixcontact:wp_6215-whps_firmware:::::::: cpe:2.3:h:phoenixcontact:wp_6101-wxps:-:::::::*
References	~~(MISC) https://cert.vde.com/en/advisories/VDE-2023-018/ -~~	(MISC) https://cert.vde.com/en/advisories/VDE-2023-018/ - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~3.8~~	v2 : unknown v3 : 4.9

09 Aug 2023, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-08-09 07:15

Updated : 2024-11-21 08:12

NVD link : CVE-2023-37858

Mitre link : CVE-2023-37858

CVE.ORG link : CVE-2023-37858

JSON object : View

Products Affected

phoenixcontact

wp_6185-whps
wp_6156-whps_firmware
wp_6215-whps_firmware
wp_6185-whps_firmware
wp_6121-wxps
wp_6156-whps
wp_6070-wvps_firmware
wp_6101-wxps
wp_6101-wxps_firmware
wp_6215-whps
wp_6070-wvps
wp_6121-wxps_firmware

CWE

CWE-311

Missing Encryption of Sensitive Data

4.9 /10