Refine your search
6 vulnerabilities found for Vuforia Studio by PTC
CVE-2023-31200 (GCVE-0-2023-31200)
Vulnerability from cvelistv5
Published
2023-06-07 21:52
Modified
2025-01-06 20:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery
Summary
PTC Vuforia Studio does not require a token; this could allow an
attacker with local access to perform a cross-site request forgery
attack or a replay attack.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PTC | Vuforia Studio |
Version: 0 < 9.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:26.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31200",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T20:57:37.389711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T20:57:59.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vuforia Studio",
"vendor": "PTC ",
"versions": [
{
"lessThan": "9.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lockheed Martin\u2014Red Team reported these vulnerabilities to PTC."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\n\n\n\nPTC Vuforia Studio does not require a token; this could allow an \nattacker with local access to perform a cross-site request forgery \nattack or a replay attack.\n\n"
}
],
"value": "\n\n\n\n\nPTC Vuforia Studio does not require a token; this could allow an \nattacker with local access to perform a cross-site request forgery \nattack or a replay attack.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-07T21:52:29.300Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nPTC recommends users upgrade to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.ptc.com/help/vuforia/studio/en/\"\u003eVuforia Studio release 9.9\u003c/a\u003e or higher.\n\n\u003cbr\u003e"
}
],
"value": "PTC recommends users upgrade to Vuforia Studio release 9.9 https://support.ptc.com/help/vuforia/studio/en/ or higher.\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "PTC Vuforia Studio Cross-Site Request Forgery",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-31200",
"datePublished": "2023-06-07T21:52:29.300Z",
"dateReserved": "2023-04-24T23:30:29.242Z",
"dateUpdated": "2025-01-06T20:57:59.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29502 (GCVE-0-2023-29502)
Vulnerability from cvelistv5
Published
2023-06-07 21:50
Modified
2025-01-06 20:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Path Traversal
Summary
Before importing a project into Vuforia, a user could modify the
“resourceDirectory” attribute in the appConfig.json file to be a
different path.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PTC | Vuforia Studio |
Version: 0 < 9.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:46.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T20:59:06.559728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T20:59:14.814Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vuforia Studio",
"vendor": "PTC ",
"versions": [
{
"lessThan": "9.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lockheed Martin\u2014Red Team reported these vulnerabilities to PTC."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\n\n\nBefore importing a project into Vuforia, a user could modify the \n\u201cresourceDirectory\u201d attribute in the appConfig.json file to be a \ndifferent path.\n\n"
}
],
"value": "\n\n\n\nBefore importing a project into Vuforia, a user could modify the \n\u201cresourceDirectory\u201d attribute in the appConfig.json file to be a \ndifferent path.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-07T21:50:29.836Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nPTC recommends users upgrade to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.ptc.com/help/vuforia/studio/en/\"\u003eVuforia Studio release 9.9\u003c/a\u003e or higher.\n\n\u003cbr\u003e"
}
],
"value": "PTC recommends users upgrade to Vuforia Studio release 9.9 https://support.ptc.com/help/vuforia/studio/en/ or higher.\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "PTC Vuforia Studio Path Traversal",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-29502",
"datePublished": "2023-06-07T21:50:29.836Z",
"dateReserved": "2023-04-24T23:30:29.260Z",
"dateUpdated": "2025-01-06T20:59:14.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27881 (GCVE-0-2023-27881)
Vulnerability from cvelistv5
Published
2023-06-07 21:48
Modified
2025-01-06 19:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
A user could use the “Upload Resource” functionality to upload files to any location on the disk.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PTC | Vuforia Studio |
Version: 0 < 9.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:23:30.843Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-27881",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T19:57:12.460493Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T19:57:24.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vuforia Studio",
"vendor": "PTC ",
"versions": [
{
"lessThan": "9.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lockheed Martin\u2014Red Team reported these vulnerabilities to PTC."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\n\nA user could use the \u201cUpload Resource\u201d functionality to upload files to any location on the disk.\n\n"
}
],
"value": "\n\n\nA user could use the \u201cUpload Resource\u201d functionality to upload files to any location on the disk.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-07T21:48:50.037Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nPTC recommends users upgrade to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.ptc.com/help/vuforia/studio/en/\"\u003eVuforia Studio release 9.9\u003c/a\u003e or higher.\n\n\u003cbr\u003e"
}
],
"value": "PTC recommends users upgrade to Vuforia Studio release 9.9 https://support.ptc.com/help/vuforia/studio/en/ or higher.\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "PTC Vuforia Studio Unrestricted Upload of File with Dangerous Type",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-27881",
"datePublished": "2023-06-07T21:48:50.037Z",
"dateReserved": "2023-04-24T23:30:29.252Z",
"dateUpdated": "2025-01-06T19:57:24.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29152 (GCVE-0-2023-29152)
Vulnerability from cvelistv5
Published
2023-06-07 21:46
Modified
2025-01-06 21:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
By changing the filename parameter in the request, an attacker could
delete any file with the permissions of the Vuforia server account.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PTC | Vuforia Studio |
Version: 0 < 9.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:15.879Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29152",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T21:22:12.257623Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T21:22:20.741Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vuforia Studio",
"vendor": "PTC ",
"versions": [
{
"lessThan": "9.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lockheed Martin\u2014Red Team reported these vulnerabilities to PTC."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\nBy changing the filename parameter in the request, an attacker could \ndelete any file with the permissions of the Vuforia server account.\n\n"
}
],
"value": "\n\nBy changing the filename parameter in the request, an attacker could \ndelete any file with the permissions of the Vuforia server account.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-07T21:46:20.797Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nPTC recommends users upgrade to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.ptc.com/help/vuforia/studio/en/\"\u003eVuforia Studio release 9.9\u003c/a\u003e or higher.\n\n\u003cbr\u003e"
}
],
"value": "PTC recommends users upgrade to Vuforia Studio release 9.9 https://support.ptc.com/help/vuforia/studio/en/ or higher.\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "PTC Vuforia Studio Improper Authorization",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-29152",
"datePublished": "2023-06-07T21:46:20.797Z",
"dateReserved": "2023-04-24T23:30:29.256Z",
"dateUpdated": "2025-01-06T21:22:20.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-24476 (GCVE-0-2023-24476)
Vulnerability from cvelistv5
Published
2023-06-07 21:44
Modified
2025-01-06 19:52
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
An attacker with local access to the machine could record the traffic,
which could allow them to resend requests without the server
authenticating that the user or session are valid.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PTC | Vuforia Studio |
Version: 0 < 9.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:56:04.159Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-24476",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T19:52:06.745459Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T19:52:37.584Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vuforia Studio",
"vendor": "PTC ",
"versions": [
{
"lessThan": "9.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lockheed Martin\u2014Red Team reported these vulnerabilities to PTC."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\nAn attacker with local access to the machine could record the traffic, \nwhich could allow them to resend requests without the server \nauthenticating that the user or session are valid.\n\n"
}
],
"value": "\nAn attacker with local access to the machine could record the traffic, \nwhich could allow them to resend requests without the server \nauthenticating that the user or session are valid.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 1.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-07T21:44:56.326Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nPTC recommends users upgrade to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.ptc.com/help/vuforia/studio/en/\"\u003eVuforia Studio release 9.9\u003c/a\u003e or higher.\n\n\u003cbr\u003e"
}
],
"value": "PTC recommends users upgrade to Vuforia Studio release 9.9 https://support.ptc.com/help/vuforia/studio/en/ or higher.\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "PTC Vuforia Studio Improper Authorization",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-24476",
"datePublished": "2023-06-07T21:44:56.326Z",
"dateReserved": "2023-04-24T23:30:29.247Z",
"dateUpdated": "2025-01-06T19:52:37.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29168 (GCVE-0-2023-29168)
Vulnerability from cvelistv5
Published
2023-06-07 21:42
Modified
2025-01-06 19:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-522 - Insufficiently Protected Credentials
Summary
The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PTC | Vuforia Studio |
Version: 0 < 9.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:15.871Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T19:58:20.177196Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T19:58:39.131Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vuforia Studio",
"vendor": "PTC ",
"versions": [
{
"lessThan": "9.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lockheed Martin\u2014Red Team reported these vulnerabilities to PTC."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nThe local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication.\n\n"
}
],
"value": "The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-07T21:42:46.886Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-13"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nPTC recommends users upgrade to \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://support.ptc.com/help/vuforia/studio/en/\"\u003eVuforia Studio release 9.9\u003c/a\u003e or higher.\n\n\u003cbr\u003e"
}
],
"value": "PTC recommends users upgrade to Vuforia Studio release 9.9 https://support.ptc.com/help/vuforia/studio/en/ or higher.\n\n\n"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "PTC Vuforia Studio Insufficiently Protected Credentials",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2023-29168",
"datePublished": "2023-06-07T21:42:46.886Z",
"dateReserved": "2023-04-24T23:30:29.237Z",
"dateUpdated": "2025-01-06T19:58:39.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}