CVE-2023-39167 (GCVE-0-2023-39167)
Vulnerability from cvelistv5 – Published: 2023-12-07 14:05 – Updated: 2025-11-04 19:17
VLAI?
Title
SENEC: Storage Box V1,V2 and V3 affected by improper access control vulnerability
Summary
In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| SENEC | Storage Box V1 |
Affected:
all (until 19.06.2023)
|
||||||||||||
|
||||||||||||||
Credits
Ph0s[4]
R0ckE7
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-04T19:17:34.708Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2023/Nov/5"
},
{
"url": "http://seclists.org/fulldisclosure/2023/Nov/10"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Storage Box V1",
"vendor": "SENEC",
"versions": [
{
"status": "affected",
"version": "all (until 19.06.2023)"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Storage Box V2",
"vendor": "SENEC",
"versions": [
{
"status": "affected",
"version": "all (until 19.06.2023)"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Storage Box V3",
"vendor": "SENEC",
"versions": [
{
"status": "affected",
"version": "all (until 19.06.2023)"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Ph0s[4]"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "R0ckE7"
}
],
"datePublic": "2023-12-07T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In\u0026nbsp;SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices\u0027 logfiles that contain sensitive data."
}
],
"value": "In\u00a0SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices\u0027 logfiles that contain sensitive data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-14T14:35:53.018Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://seclists.org/fulldisclosure/2023/Nov/5"
}
],
"source": {
"defect": [
"CERT@VDE#64567"
],
"discovery": "EXTERNAL"
},
"title": "SENEC: Storage Box V1,V2 and V3 affected by improper access control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2023-39167",
"datePublished": "2023-12-07T14:05:01.746Z",
"dateReserved": "2023-07-25T14:06:01.343Z",
"dateUpdated": "2025-11-04T19:17:34.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:enbw:senec_storage_box_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2023-06-19\", \"matchCriteriaId\": \"8C6796ED-84F3-47E8-BD21-5CEBC1DD62E0\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:enbw:senec_storage_box:v1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1A73E447-D78F-420B-B256-1F157A6DA364\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:enbw:senec_storage_box_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2023-06-19\", \"matchCriteriaId\": \"8C6796ED-84F3-47E8-BD21-5CEBC1DD62E0\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:enbw:senec_storage_box:v2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"300B219B-45CA-44C0-AC39-D94057FA8860\"}]}]}, {\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:enbw:senec_storage_box_firmware:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2023-06-19\", \"matchCriteriaId\": \"8C6796ED-84F3-47E8-BD21-5CEBC1DD62E0\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:enbw:senec_storage_box:v3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"449C542C-CAE3-42A9-BF45-EE6E828A4EBE\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"In\\u00a0SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices\u0027 logfiles that contain sensitive data.\"}, {\"lang\": \"es\", \"value\": \"En SENEC Storage Box V1, V2 y V3, un atacante remoto no autenticado puede obtener los archivos de registro de los dispositivos que contienen datos confidenciales.\"}]",
"id": "CVE-2023-39167",
"lastModified": "2024-11-21T08:14:50.490",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"info@cert.vde.com\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
"published": "2023-12-07T14:15:07.467",
"references": "[{\"url\": \"https://seclists.org/fulldisclosure/2023/Nov/5\", \"source\": \"info@cert.vde.com\", \"tags\": [\"Exploit\", \"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://seclists.org/fulldisclosure/2023/Nov/5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Mailing List\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "info@cert.vde.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"info@cert.vde.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-862\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-39167\",\"sourceIdentifier\":\"info@cert.vde.com\",\"published\":\"2023-12-07T14:15:07.467\",\"lastModified\":\"2025-11-04T20:16:35.447\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In\u00a0SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices\u0027 logfiles that contain sensitive data.\"},{\"lang\":\"es\",\"value\":\"En SENEC Storage Box V1, V2 y V3, un atacante remoto no autenticado puede obtener los archivos de registro de los dispositivos que contienen datos confidenciales.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"info@cert.vde.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"info@cert.vde.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:enbw:senec_storage_box_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2023-06-19\",\"matchCriteriaId\":\"8C6796ED-84F3-47E8-BD21-5CEBC1DD62E0\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:enbw:senec_storage_box:v1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A73E447-D78F-420B-B256-1F157A6DA364\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:enbw:senec_storage_box_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2023-06-19\",\"matchCriteriaId\":\"8C6796ED-84F3-47E8-BD21-5CEBC1DD62E0\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:enbw:senec_storage_box:v2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"300B219B-45CA-44C0-AC39-D94057FA8860\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:enbw:senec_storage_box_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2023-06-19\",\"matchCriteriaId\":\"8C6796ED-84F3-47E8-BD21-5CEBC1DD62E0\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:enbw:senec_storage_box:v3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"449C542C-CAE3-42A9-BF45-EE6E828A4EBE\"}]}]}],\"references\":[{\"url\":\"https://seclists.org/fulldisclosure/2023/Nov/5\",\"source\":\"info@cert.vde.com\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/fulldisclosure/2023/Nov/10\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://seclists.org/fulldisclosure/2023/Nov/5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Mailing List\",\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…