CVE-2023-1779

Helmholz and MB Connect Line: Account takeover via password reset in multiple products

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Exposure of Sensitive Information to an unauthorized actor vulnerability in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual in versions <=2.13.3 allow an authorized remote attacker with low privileges to view a limited amount of another accounts contact information.

*Credits: Helmholz GmbH & Co. KG

CVSS Scores

CERT VDEv3.1 4.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-03-31 CVE Reserved
2023-06-06 CVE Published
2024-06-12 EPSS Updated
2024-10-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-863: Incorrect Authorization

CAPEC

References (1)

URL	Tag	Source
https://cert.vde.com/en/advisories/VDE-2023-008	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mbconnectline Search vendor "Mbconnectline"		Mbconnect24 Search vendor "Mbconnectline" for product "Mbconnect24"				<= 2.13.3 Search vendor "Mbconnectline" for product "Mbconnect24" and version " <= 2.13.3"		-		Affected
Mbconnectline Search vendor "Mbconnectline"		Mymbconnect24 Search vendor "Mbconnectline" for product "Mymbconnect24"				<= 2.13.3 Search vendor "Mbconnectline" for product "Mymbconnect24" and version " <= 2.13.3"		-		Affected