CVE-2023-2003 - OpenCVE

Embedded malicious code vulnerability in Vision1210, in the build 5 of operating system version 4.3, which could allow a remote attacker to store base64-encoded malicious code in the device's data tables via the PCOM protocol, which can then be retrieved by a client and executed on the device.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Unitronicsplc	Vision1210 Vision1210 Firmware

Configuration 1 [-]

AND

cpe:2.3:h:unitronicsplc:vision1210:-:*:*:*:*:*:*:*

cpe:2.3:o:unitronicsplc:vision1210_firmware:4.3:build_5:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.hackplayers.com/2023/07/vulnerabilidad-vision1210-unitronics.html
https://www.incibe.es/en/incibe-cert/notices/aviso-sci/embedded-malicious-code-vulnerability-unitronics-vision1210

History

No history.

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2023-07-13T11:25:03.096Z

Updated: 2024-08-02T06:05:27.093Z

Reserved: 2023-04-12T14:08:51.192Z

Link: CVE-2023-2003

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-07-13T12:15:09.317

Modified: 2023-07-25T19:01:17.603

Link: CVE-2023-2003

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2003", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2023-04-12T14:08:51.192Z", "datePublished": "2023-07-13T11:25:03.096Z", "dateUpdated": "2024-08-02T06:05:27.093Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Vision1210", "vendor": "Unitronics", "versions": [{"status": "affected", "version": "4.3, build 5"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Carlos Antonini Cepeda"}], "datePublic": "2023-07-06T10:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">Embedded malicious code vulnerability in Vision1210, in the build 5 of operating system version 4.3, which could allow a remote attacker to store base64-encoded malicious code in the device's data tables via the PCOM protocol, which can then be retrieved by a client and executed on the device.</span>\n\n"}], "value": "Embedded malicious code vulnerability in Vision1210, in the build 5 of operating system version 4.3, which could allow a remote attacker to store base64-encoded malicious code in the device's data tables via the PCOM protocol, which can then be retrieved by a client and executed on the device.\n\n"}], "impacts": [{"capecId": "CAPEC-636", "descriptions": [{"lang": "en", "value": "CAPEC-636: Hiding Malicious Data or Code within Files"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-506", "description": "CWE-506: Embedded Malicious Code", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2023-07-17T10:11:18.273Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/embedded-malicious-code-vulnerability-unitronics-vision1210"}, {"tags": ["related", "technical-description"], "url": "https://www.hackplayers.com/2023/07/vulnerabilidad-vision1210-unitronics.html"}], "source": {"advisory": "INCIBE-2023-0253", "discovery": "EXTERNAL"}, "title": "Embedded malicious code vulnerability in Unitronics Vision1210", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:05:27.093Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/embedded-malicious-code-vulnerability-unitronics-vision1210", "tags": ["x_transferred"]}, {"tags": ["related", "technical-description", "x_transferred"], "url": "https://www.hackplayers.com/2023/07/vulnerabilidad-vision1210-unitronics.html"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:unitronicsplc:vision1210:-:*:*:*:*:*:*:*", "matchCriteriaId": "0FE3119A-2567-4524-9083-82F49216700D", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:unitronicsplc:vision1210_firmware:4.3:build_5:*:*:*:*:*:*", "matchCriteriaId": "DC8B7EE5-B15D-45DE-BCF6-73D2D207029B", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Embedded malicious code vulnerability in Vision1210, in the build 5 of operating system version 4.3, which could allow a remote attacker to store base64-encoded malicious code in the device's data tables via the PCOM protocol, which can then be retrieved by a client and executed on the device.\n\n"}], "id": "CVE-2023-2003", "lastModified": "2023-07-25T19:01:17.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2023-07-13T12:15:09.317", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.hackplayers.com/2023/07/vulnerabilidad-vision1210-unitronics.html"}, {"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/embedded-malicious-code-vulnerability-unitronics-vision1210"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-506"}], "source": "cve-coordination@incibe.es", "type": "Secondary"}]}