CVE-2023-40728

A vulnerability has been identified in QMS Automotive (All versions < V12.39). The QMS.Mobile module of the affected application stores sensitive application data in an external insecure storage. This could allow an attacker to alter content, leading to arbitrary code execution or denial-of-service condition.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-147266.pdf	Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-147266.pdf	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:siemens:qms_automotive:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:20

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.8~~	v2 : unknown v3 : 7.3
References	~~() https://cert-portal.siemens.com/productcert/pdf/ssa-147266.pdf - Vendor Advisory~~	() https://cert-portal.siemens.com/productcert/pdf/ssa-147266.pdf - Vendor Advisory

14 Sep 2023, 17:28

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.3~~	v2 : unknown v3 : 7.8
First Time		Siemens Siemens qms Automotive
CPE		cpe:2.3:a:siemens:qms_automotive::::::::
References	~~(MISC) https://cert-portal.siemens.com/productcert/pdf/ssa-147266.pdf -~~	(MISC) https://cert-portal.siemens.com/productcert/pdf/ssa-147266.pdf - Vendor Advisory

12 Sep 2023, 11:51

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-09-12 10:15

Updated : 2024-11-21 08:20

NVD link : CVE-2023-40728

Mitre link : CVE-2023-40728

CVE.ORG link : CVE-2023-40728

JSON object : View

Products Affected

siemens

qms_automotive

CWE

CWE-922

Insecure Storage of Sensitive Information

{"id": "CVE-2023-40728", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "productcert@siemens.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2023-09-12T10:15:29.210", "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-147266.pdf", "tags": ["Vendor Advisory"], "source": "productcert@siemens.com"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-147266.pdf", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "productcert@siemens.com", "description": [{"lang": "en", "value": "CWE-922"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in QMS Automotive (All versions < V12.39). The QMS.Mobile module of the affected application stores sensitive application data in an external insecure storage. This could allow an attacker to alter content, leading to arbitrary code execution or denial-of-service condition."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en QMS Automotive (Todas las versiones < V12.39). El m\u00f3dulo QMS.Mobile de la aplicaci\u00f3n afectada almacena datos confidenciales de la aplicaci\u00f3n en un almacenamiento externo inseguro. Esto podr\u00eda permitir que un atacante altere el contenido, lo que provocar\u00eda la ejecuci\u00f3n de c\u00f3digo arbitrario o una condici\u00f3n de denegaci\u00f3n de servicio."}], "lastModified": "2024-11-21T08:20:02.440", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:siemens:qms_automotive:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17162BBB-9C4B-4347-B2F6-F8E40D67C954", "versionEndExcluding": "12.39"}], "operator": "OR"}]}], "sourceIdentifier": "productcert@siemens.com"}