6 results (0.009 seconds)

CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0

PTC Vuforia Studio does not require a token; this could allow an attacker with local access to perform a cross-site request forgery attack or a replay attack. • https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13 https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 0

Before importing a project into Vuforia, a user could modify the “resourceDirectory” attribute in the appConfig.json file to be a different path. • https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13 https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0

A user could use the “Upload Resource” functionality to upload files to any location on the disk. • https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13 https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

By changing the filename parameter in the request, an attacker could delete any file with the permissions of the Vuforia server account. • https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13 https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13 • CWE-285: Improper Authorization •

CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0

An attacker with local access to the machine could record the traffic, which could allow them to resend requests without the server authenticating that the user or session are valid. • https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13 https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13 • CWE-285: Improper Authorization •