2023] Incorrect input data validation in Lanaccess ONSAFE MonitorHM Web Console

Posted date 08/11/2023

Importance

4 - High

Affected Resources

Lanaccess ONSAFE MonitorHM, version 3.7.0.

Description

INCIBE has coordinated the publication of 1 vulnerabilitiy that affects Lanaccess ONSAFE MonitorHM 3.7.0, which have been discovered by Petar Alexandrov Nikolov.

This vulnerabilitiy has been assigned the following code, CVSS v3.1 base score, CVSS vector string, and CWE vulnerability type:

CVE-2023-6012: CVSS v3.1: 8.3 | CVSS: AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L | CWE-20.

Solution

[Update 22/11/2023] The vulnerability has been fixed in version 4.1.3 (2021 and later). The equipment allows a system administrator user in local mode to configure the system in protected mode, being able to disable access to commands completely.

Detail

CVE-2023-6012: an improper input validation vulnerability has been found in Lanaccess ONSAFE MonitorHM affecting version 3.7.0. This vulnerability could lead a remote attacker to exploit the checkbox element and perform remote code execution, compromising the entire infrastructure.

References list

Lanaccess website

Etiquetas