CVE-2023-4228 - OpenCVE

A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, where the session cookies attribute is not set properly in the affected application. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Moxa	Iologik E4200 Iologik E4200 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:moxa:iologik_e4200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:moxa:iologik_e4200:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230310-iologik-4000-series-multiple-web-server-vulnerabilities-and-improper-access-control-vulnerability

History

No history.

MITRE

Status: PUBLISHED

Assigner: Moxa

Published: 2023-08-24T06:19:40.559Z

Updated: 2024-08-02T07:24:03.385Z

Reserved: 2023-08-08T07:25:39.362Z

Link: CVE-2023-4228

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-08-24T07:15:11.823

Modified: 2023-08-29T23:36:22.147

Link: CVE-2023-4228

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4228", "assignerOrgId": "2e0a0ee2-d866-482a-9f5e-ac03d156dbaa", "state": "PUBLISHED", "assignerShortName": "Moxa", "dateReserved": "2023-08-08T07:25:39.362Z", "datePublished": "2023-08-24T06:19:40.559Z", "dateUpdated": "2024-08-02T07:24:03.385Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ioLogik 4000 Series", "vendor": "Moxa", "versions": [{"lessThanOrEqual": "1.6", "status": "affected", "version": "1.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, where the session cookies attribute is not set properly in the affected application. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.</p>"}], "value": "A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, where the session cookies attribute is not set properly in the affected application. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.\n\n"}], "impacts": [{"capecId": "CAPEC-107", "descriptions": [{"lang": "en", "value": "CAPEC-107 Cross Site Tracing"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1004", "description": "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e0a0ee2-d866-482a-9f5e-ac03d156dbaa", "shortName": "Moxa", "dateUpdated": "2023-08-24T06:19:40.559Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230310-iologik-4000-series-multiple-web-server-vulnerabilities-and-improper-access-control-vulnerability"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.<br><ul><li>ioLogik 4000 Series (ioLogik E4200): Please contact Moxa Technical Support for the security patch.</li></ul>"}], "value": "Moxa has developed appropriate solutions to address the vulnerabilities. The solutions for affected products are shown below.\n * ioLogik 4000 Series (ioLogik E4200): Please contact Moxa Technical Support for the security patch.\n\n\n"}], "source": {"discovery": "EXTERNAL"}, "title": "ioLogik 4000 Series: Session Cookies Attribute Not Set Properly", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:24:03.385Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230310-iologik-4000-series-multiple-web-server-vulnerabilities-and-improper-access-control-vulnerability"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:moxa:iologik_e4200_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AEF12B05-ED1F-4200-95AA-04D902B38DD7", "versionEndIncluding": "1.6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:moxa:iologik_e4200:-:*:*:*:*:*:*:*", "matchCriteriaId": "CDD86C52-2E62-4B05-B3A3-5EA4A97F9332", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in ioLogik 4000 Series (ioLogik E4200) firmware versions v1.6 and prior, where the session cookies attribute is not set properly in the affected application. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.\n\n"}], "id": "CVE-2023-4228", "lastModified": "2023-08-29T23:36:22.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "psirt@moxa.com", "type": "Secondary"}]}, "published": "2023-08-24T07:15:11.823", "references": [{"source": "psirt@moxa.com", "tags": ["Vendor Advisory"], "url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230310-iologik-4000-series-multiple-web-server-vulnerabilities-and-improper-access-control-vulnerability"}], "sourceIdentifier": "psirt@moxa.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1004"}], "source": "psirt@moxa.com", "type": "Secondary"}]}