{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-0506", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-01-25T10:12:33.756Z", "datePublished": "2023-10-03T13:12:51.965Z", "dateUpdated": "2024-09-19T20:15:43.067Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Airspace CCTV Web Service", "vendor": "ByDemes Group", "versions": [{"status": "affected", "version": "2.616.BY00.11"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Camilo Andr\u00e9s Bruna"}], "datePublic": "2023-06-28T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The web service of ByDemes Group Airspace CCTV Web Service in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator access."}], "value": "The web service of ByDemes Group Airspace CCTV Web Service in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator access."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-10-03T13:12:51.965Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-demes-group-products"}, {"url": "https://github.com/zerolynx/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.md"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The reported vulnerability has already been fixed by the By Demes Group security team. Affected users are advised to upgrade to the latest version available. By Demes Group reminds that the affected devices are at end of life and are no longer supported, so it is recommended to upgrade to a newer model."}], "value": "The reported vulnerability has already been fixed by the By Demes Group security team. Affected users are advised to upgrade to the latest version available. By Demes Group reminds that the affected devices are at end of life and are no longer supported, so it is recommended to upgrade to a newer model."}], "source": {"discovery": "UNKNOWN"}, "title": "ByDemes Group Airspace CCTV Web Service Improper Access Control", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:17:49.033Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-demes-group-products", "tags": ["x_transferred"]}, {"url": "https://github.com/zerolynx/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.md", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T20:15:31.046541Z", "id": "CVE-2023-0506", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T20:15:43.067Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-demes-group-products", "tags": ["x_transferred"]}, {"url": "https://github.com/zerolynx/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.md", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:17:49.033Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-0506", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-19T20:15:31.046541Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T20:15:38.826Z"}}], "cna": {"title": "ByDemes Group Airspace CCTV Web Service Improper Access Control", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Camilo Andr\u00e9s Bruna"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ByDemes Group", "product": "Airspace CCTV Web Service", "versions": [{"status": "affected", "version": "2.616.BY00.11"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The reported vulnerability has already been fixed by the By Demes Group security team. Affected users are advised to upgrade to the latest version available. By Demes Group reminds that the affected devices are at end of life and are no longer supported, so it is recommended to upgrade to a newer model.", "supportingMedia": [{"type": "text/html", "value": "The reported vulnerability has already been fixed by the By Demes Group security team. Affected users are advised to upgrade to the latest version available. By Demes Group reminds that the affected devices are at end of life and are no longer supported, so it is recommended to upgrade to a newer model.", "base64": false}]}], "datePublic": "2023-06-28T10:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-demes-group-products"}, {"url": "https://github.com/zerolynx/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.md"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The web service of ByDemes Group Airspace CCTV Web Service in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator access.", "supportingMedia": [{"type": "text/html", "value": "The web service of ByDemes Group Airspace CCTV Web Service in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator access.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-10-03T13:12:51.965Z"}}}, "cveMetadata": {"cveId": "CVE-2023-0506", "state": "PUBLISHED", "dateUpdated": "2024-09-19T20:15:43.067Z", "dateReserved": "2023-01-25T10:12:33.756Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2023-10-03T13:12:51.965Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bydemes:airspace_cctv_web_service:2.616.by00.11:*:*:*:*:*:*:*", "matchCriteriaId": "BC853657-76B9-41EC-AB9C-4C25D9501D69", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The web service of ByDemes Group Airspace CCTV Web Service in its 2.616.BY00.11 version, contains a privilege escalation vulnerability, detected in the Camera Control Panel, whose exploitation could allow a low-privileged attacker to gain administrator access."}, {"lang": "es", "value": "El servicio web de ByDemes Group Airspace CCTV Web Service en su versi\u00f3n 2.616.BY00.11, contiene una vulnerabilidad de escalada de privilegios, detectada en el Panel de Control de C\u00e1maras, cuya explotaci\u00f3n podr\u00eda permitir a un atacante con pocos privilegios obtener acceso de administrador."}], "id": "CVE-2023-0506", "lastModified": "2023-10-05T01:00:10.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2023-10-03T14:15:10.473", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Not Applicable"], "url": "https://github.com/zerolynx/wstg/blob/master/document/4-Web_Application_Security_Testing/05-Authorization_Testing/02-Testing_for_Bypassing_Authorization_Schema.md"}, {"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-demes-group-products"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}

{}