CVE-2023-48374 - Vulnerability Details - OpenCVE

Description

SmartStar Software CWS is a web-base integration platform, it has a vulnerability of using a hard-coded for a specific account with low privilege. An unauthenticated remote attacker can exploit this vulnerability to run partial processes and obtain partial information, but can't disrupt service or obtain sensitive information.

Published: 2023-12-15

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SmartStar Software

CWS Web-Base

unaffected

Version	Status	Constraints
`v10.25`	affected	—

Configuration 1 [-]

cpe:2.3:a:csharp:cws_collaborative_development_platform:10.25:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

Update to the latest version.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-52426	SmartStar Software CWS is a web-base integration platform, it has a vulnerability of using a hard-coded for a specific account with low privilege. An unauthenticated remote attacker can exploit this vulnerability to run partial processes and obtain partial information, but can't disrupt service or obtain sensitive information.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00194.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.twcert.org.tw/tw/cp-132-7593-d3e5b-1.html

History

No history.

Subscriptions

Csharp Cws Collaborative Development Platform

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2023-12-15T07:39:47.814Z

Updated: 2024-08-02T21:30:34.432Z

Reserved: 2023-11-16T03:49:45.971Z

Link: CVE-2023-48374

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-12-15T08:15:44.563

Modified: 2024-11-21T08:31:35.610

Link: CVE-2023-48374

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-798

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-48374", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2023-11-16T03:49:45.971Z", "datePublished": "2023-12-15T07:39:47.814Z", "dateUpdated": "2024-08-02T21:30:34.432Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CWS Web-Base", "vendor": "SmartStar Software", "versions": [{"status": "affected", "version": "v10.25"}]}], "datePublic": "2023-12-15T07:40:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SmartStar Software CWS is a web-base integration platform, it has a vulnerability of using a hard-coded for a specific account with low privilege. An unauthenticated remote attacker can exploit this vulnerability to run partial processes and obtain partial information, but can't disrupt service or obtain sensitive information."}], "value": "SmartStar Software CWS is a web-base integration platform, it has a vulnerability of using a hard-coded for a specific account with low privilege. An unauthenticated remote attacker can exploit this vulnerability to run partial processes and obtain partial information, but can't disrupt service or obtain sensitive information."}], "impacts": [{"capecId": "CAPEC-70", "descriptions": [{"lang": "en", "value": "CAPEC-70: Try Common or Default Usernames and Passwords"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2023-12-15T07:39:47.814Z"}, "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7593-d3e5b-1.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to the latest version."}], "value": "Update to the latest version."}], "source": {"advisory": "TVN-202312004", "discovery": "EXTERNAL"}, "title": "SmartStar Software CWS Web-Base - Use of Hard-coded Credentials", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:30:34.432Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7593-d3e5b-1.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:csharp:cws_collaborative_development_platform:10.25:*:*:*:*:*:*:*", "matchCriteriaId": "10CC0021-D5D9-4794-9ABE-DF8F1B21F6A2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SmartStar Software CWS is a web-base integration platform, it has a vulnerability of using a hard-coded for a specific account with low privilege. An unauthenticated remote attacker can exploit this vulnerability to run partial processes and obtain partial information, but can't disrupt service or obtain sensitive information."}, {"lang": "es", "value": "SmartStar Software CWS es una plataforma de integraci\u00f3n basada en web, tiene la vulnerabilidad de utilizar un c\u00f3digo r\u00edgido para una cuenta espec\u00edfica con privilegios bajos. Un atacante remoto no autenticado puede aprovechar esta vulnerabilidad para ejecutar procesos parciales y obtener informaci\u00f3n parcial, pero no puede interrumpir el servicio ni obtener informaci\u00f3n confidencial."}], "id": "CVE-2023-48374", "lastModified": "2024-11-21T08:31:35.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "twcert@cert.org.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-15T08:15:44.563", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7593-d3e5b-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7593-d3e5b-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "twcert@cert.org.tw", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-798"}], "source": "nvd@nist.gov", "type": "Primary"}]}