CVE Catalog

CVE-2023-37857

LowCVSS 3.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.44%

35th percentile — higher than 35% of all known CVEs

Summary

In PHOENIX CONTACT's WP 6xxx series web panels in versions prior to 4.0.10, an authenticated remote attacker with admin privileges can read hardcoded cryptographic keys, allowing the attacker to create valid session cookies.

Risk Assessment

The attacker may use these cookies to attempt to gain access to the device, although the cookies alone are not sufficient to establish a valid session.

Recommendation

It is recommended to update the panels to version 4.0.10 or later to mitigate this vulnerability.

Original NVD description (English source)

In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing the attacker to create valid session cookies. These session-cookies created by the attacker are not sufficient to obtain a valid session on the device.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS