CVE-2023-37857
Severity CVSS v4.0:
Pending analysis
Type:
CWE-798
Use of Hard-coded Credentials
Publication date:
09/08/2023
Last modified:
14/11/2023
Description
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing the attacker to create valid session cookies. These session-cookies created by the attacker are not sufficient to obtain a valid session on the device.<br />
Impact
Base Score 3.x
7.20
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:phoenixcontact:wp_6070-wvps_firmware:*:*:*:*:*:*:*:* | 4.0.10 (excluding) | |
| cpe:2.3:h:phoenixcontact:wp_6070-wvps:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:phoenixcontact:wp_6101-wxps_firmware:*:*:*:*:*:*:*:* | 4.0.10 (excluding) | |
| cpe:2.3:h:phoenixcontact:wp_6101-wxps:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:phoenixcontact:wp_6121-wxps_firmware:*:*:*:*:*:*:*:* | 4.0.10 (excluding) | |
| cpe:2.3:h:phoenixcontact:wp_6121-wxps:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:phoenixcontact:wp_6156-whps_firmware:*:*:*:*:*:*:*:* | 4.0.10 (excluding) | |
| cpe:2.3:h:phoenixcontact:wp_6156-whps:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:phoenixcontact:wp_6185-whps_firmware:*:*:*:*:*:*:*:* | 4.0.10 (excluding) | |
| cpe:2.3:h:phoenixcontact:wp_6185-whps:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:phoenixcontact:wp_6215-whps_firmware:*:*:*:*:*:*:*:* | 4.0.10 (excluding) | |
| cpe:2.3:h:phoenixcontact:wp_6215-whps:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page