CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 0CVE-2023-48256
https://notcve.org/view.php?id=CVE-2023-48256
10 Jan 2024 — The vulnerability allows a remote attacker to inject arbitrary HTTP response headers or manipulate HTTP response bodies inside a victim’s session via a crafted URL or HTTP request. La vulnerabilidad permite a un atacante remoto inyectar encabezados de respuesta HTTP arbitrarios o manipular cuerpos de respuesta HTTP dentro de la sesión de una víctima a través de una URL manipulada o una solicitud HTTP. • https://psirt.bosch.com/security-advisories/BOSCH-SA-711465.html • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') CWE-436: Interpretation Conflict •
CVSS: 6.4EPSS: 0%CPEs: 21EXPL: 0CVE-2023-48255
https://notcve.org/view.php?id=CVE-2023-48255
10 Jan 2024 — The vulnerability allows an unauthenticated remote attacker to send malicious network requests containing arbitrary client-side script code and obtain its execution inside a victim’s session via a crafted URL, HTTP request, or simply by waiting for the victim to view the poisoned log. La vulnerabilidad permite a un atacante remoto no autenticado enviar solicitudes de red maliciosas que contienen código de script arbitrario del lado del cliente y obtener su ejecución dentro de la sesión de la víctima a travé... • https://psirt.bosch.com/security-advisories/BOSCH-SA-711465.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 21EXPL: 0CVE-2023-48254
https://notcve.org/view.php?id=CVE-2023-48254
10 Jan 2024 — The vulnerability allows a remote attacker to inject and execute arbitrary client-side script code inside a victim’s session via a crafted URL or HTTP request. La vulnerabilidad permite a un atacante remoto inyectar y ejecutar código script arbitrario del lado del cliente dentro de la sesión de una víctima a través de una URL manipulada o una solicitud HTTP. • https://psirt.bosch.com/security-advisories/BOSCH-SA-711465.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 21EXPL: 0CVE-2023-48253
https://notcve.org/view.php?id=CVE-2023-48253
10 Jan 2024 — The vulnerability allows a remote authenticated attacker to read or update arbitrary content of the authentication database via a crafted HTTP request. By abusing this vulnerability it is possible to exfiltrate other users’ password hashes or update them with arbitrary values and access their accounts. La vulnerabilidad permite a un atacante autenticado remoto leer o actualizar contenido arbitrario de la base de datos de autenticación mediante una solicitud HTTP manipulada. Al abusar de esta vulnerabilidad,... • https://psirt.bosch.com/security-advisories/BOSCH-SA-711465.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 21EXPL: 0CVE-2023-48252
https://notcve.org/view.php?id=CVE-2023-48252
10 Jan 2024 — The vulnerability allows an authenticated remote attacker to perform actions exceeding their authorized access via crafted HTTP requests. La vulnerabilidad permite que un atacante remoto autenticado realice acciones que excedan su acceso autorizado a través de solicitudes HTTP manipuladas. • https://psirt.bosch.com/security-advisories/BOSCH-SA-711465.html • CWE-285: Improper Authorization •
CVSS: 10.0EPSS: 3%CPEs: 21EXPL: 0CVE-2023-48251
https://notcve.org/view.php?id=CVE-2023-48251
10 Jan 2024 — The vulnerability allows a remote attacker to authenticate to the SSH service with root privileges through a hidden hard-coded account. La vulnerabilidad permite a un atacante remoto autenticarse en el servicio SSH con privilegios de root a través de una cuenta oculta codificada. • https://psirt.bosch.com/security-advisories/BOSCH-SA-711465.html • CWE-798: Use of Hard-coded Credentials •
CVSS: 10.0EPSS: 0%CPEs: 21EXPL: 0CVE-2023-48250
https://notcve.org/view.php?id=CVE-2023-48250
10 Jan 2024 — The vulnerability allows a remote attacker to authenticate to the web application with high privileges through multiple hidden hard-coded accounts. La vulnerabilidad permite a un atacante remoto autenticarse en la aplicación web con altos privilegios a través de múltiples cuentas ocultas codificadas. • https://psirt.bosch.com/security-advisories/BOSCH-SA-711465.html • CWE-798: Use of Hard-coded Credentials •
CVSS: 6.8EPSS: 0%CPEs: 21EXPL: 0CVE-2023-48249
https://notcve.org/view.php?id=CVE-2023-48249
10 Jan 2024 — The vulnerability allows an authenticated remote attacker to list arbitrary folders in all paths of the system under the context of the application OS user (“root”) via a crafted HTTP request. By abusing this vulnerability, it is possible to steal session cookies of other active users. La vulnerabilidad permite a un atacante remoto autenticado enumerar carpetas arbitrarias en todas las rutas del sistema en el contexto del usuario del sistema operativo de la aplicación ("root") a través de una solicitud HTTP... • https://psirt.bosch.com/security-advisories/BOSCH-SA-711465.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 21EXPL: 0CVE-2023-48248
https://notcve.org/view.php?id=CVE-2023-48248
10 Jan 2024 — The vulnerability allows an authenticated remote attacker to upload a malicious file to the SD card containing arbitrary client-side script code and obtain its execution inside a victim’s session via a crafted URL, HTTP request, or simply by waiting for the victim to view the poisoned file. La vulnerabilidad permite a un atacante remoto autenticado cargar un archivo malicioso en la tarjeta SD que contiene un código de script arbitrario del lado del cliente y obtener su ejecución dentro de la sesión de la ví... • https://psirt.bosch.com/security-advisories/BOSCH-SA-711465.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 21EXPL: 0CVE-2023-48247
https://notcve.org/view.php?id=CVE-2023-48247
10 Jan 2024 — The vulnerability allows an unauthenticated remote attacker to read arbitrary files under the context of the application OS user (“root”) via a crafted HTTP request. La vulnerabilidad permite a un atacante remoto no autenticado leer archivos arbitrarios en el contexto del usuario del sistema operativo de la aplicación ("root") a través de una solicitud HTTP manipulada. • https://psirt.bosch.com/security-advisories/BOSCH-SA-711465.html • CWE-862: Missing Authorization •