Externally Controlled Reference to a Resource in Another Sphere in WAGO products - CVE-2023-4089
Published: November 22, 2023
Vulnerability identifier: #VU83406
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-4089
CWE-ID: CWE-610
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: WAGO
Affected software:
Compact Controller CC100
Edge Controller
PFC100
PFC200
Touch Panel 600 Advanced Line
Touch Panel 600 Marine Line
Touch Panel 600 Standard Line
Compact Controller CC100
Edge Controller
PFC100
PFC200
Touch Panel 600 Advanced Line
Touch Panel 600 Marine Line
Touch Panel 600 Standard Line
Detailed vulnerability description
The vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to the affected software uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. A remote administrator can access files which they already have access to through an undocumented local file inclusion.
How to mitigate CVE-2023-4089
Install updates from vendor's website.