CVE-2023-35794

Опубликовано: 27 окт. 2023

Источник: nvd

CVSS3: 8.8

EPSS Низкий

Описание

An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically, there is no session cookie validation on the Access Controller; instead, there is only Basic Authentication to the SSH console.

Ссылки

https://blog.kscsc.online/cves/202335794/md.html
https://github.com/Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking
Exploit
Third Party Advisory
https://www.cassianetworks.com/products/iot-access-controller/
Product
https://blog.kscsc.online/cves/202335794/md.html
https://github.com/Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking
Exploit
Third Party Advisory
https://www.cassianetworks.com/products/iot-access-controller/
Product

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:cassianetworks:access_controller:2.1.1.2303271039:*:*:*:*:*:*:*

EPSS

Процентиль: 54%

0.00313

Низкий

8.8 High

CVSS3

Дефекты

CWE-287

Связанные уязвимости

GHSA-phrf-fj83-fcfv