CWE-749
AllowedExposed Dangerous Method or Function
Abstraction: Base · Status: Incomplete
The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
304 vulnerabilities reference this CWE, most recent first.
CVE-2023-51575 (GCVE-0-2023-51575)
Vulnerability from cvelistv5 – Published: 2024-05-03 02:15 – Updated: 2024-08-02 22:40- CWE-749 - Exposed Dangerous Method or Function
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Voltronic Power | ViewPower |
Affected:
1.04.21353
|
|
| voltronicpower | viewpower |
Affected:
1.04.21353
cpe:2.3:a:voltronicpower:viewpower:1.04.21353:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:voltronicpower:viewpower:1.04.21353:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewpower",
"vendor": "voltronicpower",
"versions": [
{
"status": "affected",
"version": "1.04.21353"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51575",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-03T19:53:30.369307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:20:26.041Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:33.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1881",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1881/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ViewPower",
"vendor": "Voltronic Power",
"versions": [
{
"status": "affected",
"version": "1.04.21353"
}
]
}
],
"dateAssigned": "2023-12-20T20:45:49.263Z",
"datePublic": "2023-12-20T23:08:58.854Z",
"descriptions": [
{
"lang": "en",
"value": "Voltronic Power ViewPower MonitorConsole Exposed Dangerous Method Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Voltronic Power ViewPower. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the MonitorConsole class. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22011."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T02:15:08.533Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1881",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1881/"
}
],
"source": {
"lang": "en",
"value": "hir0ot"
},
"title": "Voltronic Power ViewPower MonitorConsole Exposed Dangerous Method Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-51575",
"datePublished": "2024-05-03T02:15:08.533Z",
"dateReserved": "2023-12-20T20:38:20.867Z",
"dateUpdated": "2024-08-02T22:40:33.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51574 (GCVE-0-2023-51574)
Vulnerability from cvelistv5 – Published: 2024-05-03 02:15 – Updated: 2024-08-02 22:40- CWE-749 - Exposed Dangerous Method or Function
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Voltronic Power | ViewPower |
Affected:
1.04.21353
|
|
| voltronicpower | viewpower |
Affected:
1.04.21353
cpe:2.3:a:voltronicpower:viewpower:1.04.21353:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:voltronicpower:viewpower:1.04.21353:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewpower",
"vendor": "voltronicpower",
"versions": [
{
"status": "affected",
"version": "1.04.21353"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51574",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-03T19:54:51.372676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:20:34.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:33.602Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1880",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1880/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ViewPower",
"vendor": "Voltronic Power",
"versions": [
{
"status": "affected",
"version": "1.04.21353"
}
]
}
],
"dateAssigned": "2023-12-20T20:45:49.257Z",
"datePublic": "2023-12-20T23:08:55.295Z",
"descriptions": [
{
"lang": "en",
"value": "Voltronic Power ViewPower updateManagerPassword Exposed Dangerous Method Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Voltronic Power ViewPower. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the updateManagerPassword method. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-22010."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-03T02:15:07.769Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1880",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1880/"
}
],
"source": {
"lang": "en",
"value": "06fe5fd2bc53027c4a3b7e395af0b850e7b8a044"
},
"title": "Voltronic Power ViewPower updateManagerPassword Exposed Dangerous Method Authentication Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-51574",
"datePublished": "2024-05-03T02:15:07.769Z",
"dateReserved": "2023-12-20T20:38:20.867Z",
"dateUpdated": "2024-08-02T22:40:33.602Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51573 (GCVE-0-2023-51573)
Vulnerability from cvelistv5 – Published: 2024-04-01 21:18 – Updated: 2024-08-02 22:40- CWE-749 - Exposed Dangerous Method or Function
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Voltronic Power | ViewPower Pro |
Affected:
2.0-22165
|
|
| voltronic_power | viewpower_pro |
Affected:
2.0-22165
cpe:2.3:a:voltronic_power:viewpower_pro:2.0-22165:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:voltronic_power:viewpower_pro:2.0-22165:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "viewpower_pro",
"vendor": "voltronic_power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51573",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-03T14:36:18.724567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T13:27:14.236Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:33.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1879",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1879/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ViewPower Pro",
"vendor": "Voltronic Power",
"versions": [
{
"status": "affected",
"version": "2.0-22165"
}
]
}
],
"dateAssigned": "2023-12-20T20:45:49.250Z",
"datePublic": "2023-12-20T23:08:52.846Z",
"descriptions": [
{
"lang": "en",
"value": "Voltronic Power ViewPower Pro updateManagerPassword Exposed Dangerous Function Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the updateManagerPassword function. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-21203."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-01T21:18:29.225Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1879",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1879/"
}
],
"source": {
"lang": "en",
"value": "Simon Janz (@esj4y)"
},
"title": "Voltronic Power ViewPower Pro updateManagerPassword Exposed Dangerous Function Authentication Bypass Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-51573",
"datePublished": "2024-04-01T21:18:29.225Z",
"dateReserved": "2023-12-20T20:38:20.867Z",
"dateUpdated": "2024-08-02T22:40:33.453Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-50424 (GCVE-0-2023-50424)
Vulnerability from cvelistv5 – Published: 2023-12-12 01:59 – Updated: 2026-02-25 16:34- CWE-749 - Exposed Dangerous Method or Function
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | github.com/sap/cloud-security-client-go |
Affected:
< 0.17.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.331Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://me.sap.com/notes/3411067"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/SAP/cloud-security-client-go"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/github.com/sap/cloud-security-client-go@v0.17.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50424",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2023-12-14T05:00:16.106134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T16:34:35.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "github.com/sap/cloud-security-client-go",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP\u00a0BTP\u00a0Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions \u0026lt; 0.17.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.\u003c/p\u003e"
}
],
"value": "SAP\u00a0BTP\u00a0Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions \u003c 0.17.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-28T22:19:05.889Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://me.sap.com/notes/3411067"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"url": "https://github.com/SAP/cloud-security-client-go"
},
{
"url": "https://pkg.go.dev/github.com/sap/cloud-security-client-go@v0.17.0"
},
{
"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Escalation of Privileges in\u00a0SAP\u00a0BTP\u00a0Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-50424",
"datePublished": "2023-12-12T01:59:36.703Z",
"dateReserved": "2023-12-09T17:19:02.677Z",
"dateUpdated": "2026-02-25T16:34:35.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-50423 (GCVE-0-2023-50423)
Vulnerability from cvelistv5 – Published: 2023-12-12 01:52 – Updated: 2026-02-25 16:34- CWE-749 - Exposed Dangerous Method or Function
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.591Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://me.sap.com/notes/3411067"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://pypi.org/project/sap-xssec/"
},
{
"tags": [
"x_transferred"
],
"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42x5"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/SAP/cloud-pysec/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50423",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2023-12-14T05:00:15.335829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T16:34:36.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "sap-xssec",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP\u00a0BTP\u00a0Security Services Integration Library ([Python]\u00a0sap-xssec) - versions \u0026lt; 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.\u003c/p\u003e"
}
],
"value": "SAP\u00a0BTP\u00a0Security Services Integration Library ([Python]\u00a0sap-xssec) - versions \u003c 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-28T22:18:31.778Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://me.sap.com/notes/3411067"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"url": "https://pypi.org/project/sap-xssec/"
},
{
"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/SAP/cloud-pysec/security/advisories/GHSA-6mjg-37cp-42x5"
},
{
"url": "https://github.com/SAP/cloud-pysec/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Escalation of Privileges in\u00a0SAP\u00a0BTP\u00a0Security Services Integration Library ([Python] cloud-pysec)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-50423",
"datePublished": "2023-12-12T01:52:44.999Z",
"dateReserved": "2023-12-09T17:19:02.677Z",
"dateUpdated": "2026-02-25T16:34:36.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-50422 (GCVE-0-2023-50422)
Vulnerability from cvelistv5 – Published: 2023-12-12 01:31 – Updated: 2026-02-25 16:34- CWE-749 - Exposed Dangerous Method or Function
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | cloud-security-services-integration-library |
Affected:
< 2.17.0
Affected: 3.0.0 , < 3.3.0 (custom) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.536Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://me.sap.com/notes/3411067"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/SAP/cloud-security-services-integration-library/"
},
{
"tags": [
"x_transferred"
],
"url": "https://mvnrepository.com/artifact/com.sap.cloud.security/java-security"
},
{
"tags": [
"x_transferred"
],
"url": "https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security"
},
{
"tags": [
"x_transferred"
],
"url": "https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa"
},
{
"tags": [
"x_transferred"
],
"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73"
},
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3413475"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2023-12-14T05:00:14.377359Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T16:34:36.244Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cloud-security-services-integration-library",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "\u003c 2.17.0"
},
{
"lessThan": "3.3.0",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP\u00a0BTP\u00a0Security Services Integration Library ([Java] cloud-security-services-integration-library) -\u00a0versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.\u003c/p\u003e"
}
],
"value": "SAP\u00a0BTP\u00a0Security Services Integration Library ([Java] cloud-security-services-integration-library) -\u00a0versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-28T22:17:43.519Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://me.sap.com/notes/3411067"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"url": "https://github.com/SAP/cloud-security-services-integration-library/"
},
{
"url": "https://mvnrepository.com/artifact/com.sap.cloud.security/java-security"
},
{
"url": "https://mvnrepository.com/artifact/com.sap.cloud.security/spring-security"
},
{
"url": "https://mvnrepository.com/artifact/com.sap.cloud.security.xsuaa/spring-xsuaa"
},
{
"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/SAP/cloud-security-services-integration-library/security/advisories/GHSA-59c9-pxq8-9c73"
},
{
"url": "https://me.sap.com/notes/3413475"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Escalation of Privileges in\u00a0SAP\u00a0BTP\u00a0Security Services Integration Library ([Java]\u00a0cloud-security-services-integration-library)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-50422",
"datePublished": "2023-12-12T01:31:17.991Z",
"dateReserved": "2023-12-09T17:19:02.677Z",
"dateUpdated": "2026-02-25T16:34:36.244Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-49583 (GCVE-0-2023-49583)
Vulnerability from cvelistv5 – Published: 2023-12-12 01:22 – Updated: 2026-02-25 16:34- CWE-749 - Exposed Dangerous Method or Function
| Vendor | Product | Version | |
|---|---|---|---|
| SAP_SE | @sap/xssec |
Affected:
< 3.6.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:01:25.145Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://me.sap.com/notes/3411067"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.npmjs.com/package/@sap/xssec"
},
{
"tags": [
"x_transferred"
],
"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/"
},
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3412456"
},
{
"tags": [
"x_transferred"
],
"url": "https://me.sap.com/notes/3413475"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49583",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2023-12-14T05:00:13.675299Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T16:34:36.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "@sap/xssec",
"vendor": "SAP_SE",
"versions": [
{
"status": "affected",
"version": "\u003c 3.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eSAP\u00a0BTP\u00a0Security Services Integration Library ([Node.js] @sap/xssec - versions \u0026lt; 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.\u003c/p\u003e"
}
],
"value": "SAP\u00a0BTP\u00a0Security Services Integration Library ([Node.js] @sap/xssec - versions \u003c 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-28T22:15:23.358Z",
"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"shortName": "sap"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://me.sap.com/notes/3411067"
},
{
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
},
{
"url": "https://www.npmjs.com/package/@sap/xssec"
},
{
"url": "https://blogs.sap.com/2023/12/12/unveiling-critical-security-updates-sap-btp-security-note-3411067/"
},
{
"url": "https://me.sap.com/notes/3412456"
},
{
"url": "https://me.sap.com/notes/3413475"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Escalation of Privileges in\u00a0SAP\u00a0BTP\u00a0Security Services Integration Library ([Node.js]\u00a0@sap/xssec)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
"assignerShortName": "sap",
"cveId": "CVE-2023-49583",
"datePublished": "2023-12-12T01:22:58.910Z",
"dateReserved": "2023-11-27T18:45:03.233Z",
"dateUpdated": "2026-02-25T16:34:36.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-49074 (GCVE-0-2023-49074)
Vulnerability from cvelistv5 – Published: 2024-04-09 14:12 – Updated: 2025-11-04 18:19- CWE-749 - Exposed Dangerous Method or Function
| Vendor | Product | Version | |
|---|---|---|---|
| Tp-Link | AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) |
Affected:
v5.1.0 Build 20220926
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-15T15:42:34.807142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:27:54.416Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T18:19:33.189Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1861",
"tags": [
"x_transferred"
],
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1861"
},
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1861"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3)",
"vendor": "Tp-Link",
"versions": [
{
"status": "affected",
"version": "v5.1.0 Build 20220926"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by the Vulnerability Discovery and Research team of Cisco Talos."
}
],
"descriptions": [
{
"lang": "en",
"value": "A denial of service vulnerability exists in the TDDP functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of network requests can lead to reset to factory settings. An attacker can send a sequence of unauthenticated packets to trigger this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T17:00:11.037Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1861",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1861"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2023-49074",
"datePublished": "2024-04-09T14:12:48.559Z",
"dateReserved": "2023-11-21T14:38:31.718Z",
"dateUpdated": "2025-11-04T18:19:33.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-44414 (GCVE-0-2023-44414)
Vulnerability from cvelistv5 – Published: 2024-05-03 02:13 – Updated: 2024-09-18 18:30- CWE-749 - Exposed Dangerous Method or Function
| URL | Tags |
|---|---|
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_research-advisory |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:d-link:d-view:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "d-view",
"vendor": "d-link",
"versions": [
{
"status": "affected",
"version": "*"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-44414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T20:02:02.253716Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:19:21.574Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:07:33.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ZDI-23-1512",
"tags": [
"x_research-advisory",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1512/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "D-View",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "DLink D-View8 1.0.2.13"
}
]
}
],
"dateAssigned": "2023-09-28T18:14:48.167Z",
"datePublic": "2023-10-04T23:05:23.846Z",
"descriptions": [
{
"lang": "en",
"value": "D-Link D-View coreservice_action_script Exposed Dangerous Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of D-Link D-View. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the coreservice_action_script action. The issue results from the exposure of a dangerous function. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19573."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-18T18:30:21.611Z",
"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"shortName": "zdi"
},
"references": [
{
"name": "ZDI-23-1512",
"tags": [
"x_research-advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1512/"
}
],
"source": {
"lang": "en",
"value": "rgod"
},
"title": "D-Link D-View coreservice_action_script Exposed Dangerous Function Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
"assignerShortName": "zdi",
"cveId": "CVE-2023-44414",
"datePublished": "2024-05-03T02:13:44.671Z",
"dateReserved": "2023-09-28T18:02:49.770Z",
"dateUpdated": "2024-09-18T18:30:21.611Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42494 (GCVE-0-2023-42494)
Vulnerability from cvelistv5 – Published: 2023-10-25 14:45 – Updated: 2024-09-10 19:51- CWE-749 - Exposed Dangerous Method or Function
| Vendor | Product | Version | |
|---|---|---|---|
| EisBaer Scada | v3.0.6433.1964 |
Affected:
All versions , < Upgrade to the latest version.
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:23:39.317Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42494",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T19:51:07.890955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T19:51:49.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "v3.0.6433.1964",
"vendor": " EisBaer Scada",
"versions": [
{
"lessThan": " Upgrade to the latest version.",
"status": "affected",
"version": "All versions",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Claroty Research"
}
],
"datePublic": "2023-10-25T14:32:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": " EisBaer Scada - CWE-749: Exposed Dangerous Method or Function"
}
],
"value": " EisBaer Scada - CWE-749: Exposed Dangerous Method or Function"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T14:45:04.978Z",
"orgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"shortName": "INCD"
},
"references": [
{
"url": "https://www.gov.il/en/Departments/faq/cve_advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eUpgrade to latest version\u003c/span\u003e\n\n\u003cbr\u003e"
}
],
"value": "\nUpgrade to latest version\n\n\n"
}
],
"source": {
"advisory": "ILVN-2023-0145",
"discovery": "UNKNOWN"
},
"title": " EisBaer Scada - CWE-749: Exposed Dangerous Method or Function",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "a57ee1ae-c9c1-4f40-aa7b-cf10760fde3f",
"assignerShortName": "INCD",
"cveId": "CVE-2023-42494",
"datePublished": "2023-10-25T14:45:04.978Z",
"dateReserved": "2023-09-11T07:58:19.184Z",
"dateUpdated": "2024-09-10T19:51:49.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.
Mitigation
Strategy: Attack Surface Reduction
- Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be:
- Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting.
- accessible to all users
- restricted to a small set of privileged users
- prevented from being directly accessible at all
CAPEC-500: WebView Injection
An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.