CVE-2023-45851
Severity CVSS v4.0:
Pending analysis
Type:
CWE-306
Missing Authentication for Critical Function
Publication date:
25/10/2023
Last modified:
06/11/2023
Description
The Android Client application, when enrolled to the AppHub server,connects to an MQTT broker without enforcing any server authentication. <br />
<br />
<br />
This issue allows an attacker to force the Android Client application to connect to a malicious MQTT broker, enabling it to send fake messages to the HMI device
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:boschrexroth:ctrlx_hmi_web_panel_wr2107_firmware:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:boschrexroth:ctrlx_hmi_web_panel_wr2107:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:boschrexroth:ctrlx_hmi_web_panel_wr2110_firmware:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:boschrexroth:ctrlx_hmi_web_panel_wr2110:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:boschrexroth:ctrlx_hmi_web_panel_wr2115_firmware:*:*:*:*:*:*:*:* | ||
| cpe:2.3:h:boschrexroth:ctrlx_hmi_web_panel_wr2115:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page



