Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-1109

In Phoenix Contacts ENERGY AXC PU Web service an authenticated restricted user of the web frontend can access, read, write and create files throughout the file system using specially crafted URLs via the upload and download functionality of the web service. This may lead to full control of the service.

Published

2023-04-17T08:15:07.627

Last Modified

2024-11-21T07:38:28.530

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.8 (HIGH)

Weaknesses

Type: Secondary
CWE-22
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	phoenixcontact	energy_axc_pu	≤ 04.15.00.00	Yes
Operating System	phoenixcontact	infobox_firmware	≤ 02.02.00.00	Yes
Hardware	phoenixcontact	infobox	-	No
Operating System	phoenixcontact	smartrtu_axc_sg_firmware	≤ 01.08.00.02	Yes
Hardware	phoenixcontact	smartrtu_axc_sg	-	No
Operating System	phoenixcontact	smartrtu_axc_ig_firmware	≤ 01.02.00.01	Yes
Hardware	phoenixcontact	smartrtu_axc_ig	-	No

References

https://cert.vde.com/en/advisories/VDE-2023-003/ Not Applicable ([email protected])
https://github.com/advisories/GHSA-w923-8w64-f5gh Third Party Advisory ([email protected])
https://cert.vde.com/en/advisories/VDE-2023-003/ Not Applicable (af854a3a-2127-422b-91ae-364da2661108)