Multiple vulnerabilities in PTC Vuforia Studio
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2023-29168 CVE-2023-24476 CVE-2023-29152 CVE-2023-27881 CVE-2023-29502 CVE-2023-31200 |
| CWE-ID | CWE-522 CWE-285 CWE-434 CWE-22 CWE-352 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Vuforia Studio Other software / Other software solutions |
| Vendor | PTC |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Insufficiently protected credentials
EUVDB-ID: #VU76051
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-29168
CWE-ID:
CWE-522 - Insufficiently Protected Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insufficiently protected credentials. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVuforia Studio: All versions
CPE2.3 External linkshttps://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Authorization
EUVDB-ID: #VU76052
Risk: Low
CVSSv4.0: 0.1 [CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-24476
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass authorization checks.
The vulnerability exists due to improper authorization. A local administrator can resend requests without the server authenticating that the user or session are valid.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVuforia Studio: All versions
CPE2.3 External linkshttps://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Authorization
EUVDB-ID: #VU76059
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-29152
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to improper authorization. A remote administrator can change the filename parameter in the request and delete any file with the permissions of the Vuforia server account.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVuforia Studio: All versions
CPE2.3 External linkshttps://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Arbitrary file upload
EUVDB-ID: #VU76060
Risk: Low
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-27881
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload in the "Upload Resource" functionality. A remote administrator can upload a malicious file and execute it on the server.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVuforia Studio: All versions
CPE2.3 External linkshttps://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Path traversal
EUVDB-ID: #VU76063
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-29502
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote administrator can modify the "resourceDirectory" attribute in the appConfig.json file and read arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsVuforia Studio: All versions
CPE2.3 External linkshttps://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Cross-site request forgery
EUVDB-ID: #VU76064
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-31200
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote user can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVuforia Studio: All versions
CPE2.3 External linkshttps://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
