CVE-2023-46381 — Loytec LWEB-802 Missing Authentication Vulnerability

CVE ID: CVE-2023-46381

Publication Date: 2023-11-03

Severity: High

Affected Vendor

LOYTEC electronics GmbH

Affected Products

• LINX-212 firmware 6.2.4
• LVIS-3ME12-A1 firmware 6.2.2
• LIOB-586 firmware 6.2.3

Vulnerability Description

Authentication is missing on the web user interface for the preinstalled version of LWEB-802. If there is a project on a device, an unauthenticated user could create a new project on a web and access/control a graphical interface. An unauthenticated user also could edit or delete a current web project, change settings and delete system logs etc…

Vulnerable URL Path: http://<IP>:<port>/lweb802_pre/

Solutions & Rules

N/A

Credit

Chizuru Toyama of TXOne Networks