#VU84589 Open redirect in UC 500E - CVE-2023-50704

Cybersecurity Help s.r.o.

Published: 2023-12-20

Vulnerability identifier: #VU84589

Vulnerability risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-50704

CWE-ID: CWE-601

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
UC 500E
Hardware solutions / Firmware

Vendor: Efacec

Description

The vulnerability allows a local attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data. An attacker with physical access can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a local attacker to perform a phishing attack and steal potentially sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

UC 500E: 10.1.0

External links
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-03

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in EFACEC UC 500E