CVE-2023-1134
CVE-2023-1134
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a path traversal vulnerability, which could allow an attacker to read local files, disclose plaintext credentials, and escalate privileges.
This vulnerability allows remote attackers to delete arbitrary files on affected installations of Delta Electronics InfraSuite Device Master. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the CtrlLayerNWCmd_ReportFileOperation function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of an administrator.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-03-01 CVE Reserved
- 2023-03-27 CVE Published
- 2024-08-02 CVE Updated
- 2024-09-06 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Deltaww Search vendor "Deltaww" | Infrasuite Device Master Search vendor "Deltaww" for product "Infrasuite Device Master" | < 1.0.5 Search vendor "Deltaww" for product "Infrasuite Device Master" and version " < 1.0.5" | - |
Affected
| ||||||