Skip to main content

Mbconnect24 CVE-2023-0985

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2023-06-06 info@cert.vde.com
8.8
CVSS 3.1 · Vendor: cert
Share

Severity by source

Vendor (cert) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (cert) · only source for this CVE.

CVSS VectorVendor: cert

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 06, 2023 - 11:15 cve.org
HIGH 8.8

DescriptionCVE.org

An Authorization Bypass vulnerability was found in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual version <= 2.13.3. An authenticated remote user with low privileges can change the password of any user in the same account. This allows to take over the admin user and therefore fully compromise the account.

AnalysisAI

An Authorization Bypass vulnerability was found in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual version <= 2.13.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-639. An Authorization Bypass vulnerability was found in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual version <= 2.13.3. An authenticated remote user with low privileges can change the password of any user in the same account. This allows to take over the admin user and therefore fully compromise the account. Affected products include: Mbconnectline Mbconnect24, Mbconnectline Mymbconnect24.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2020-10383 CRITICAL
9.8 Apr 14

An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.5.0. Rat

CVE-2026-33615 CRITICAL
9.1 Apr 02

SQL injection in MB Connect Line's mbCONNECT24 and mymbCONNECT24 platforms allows unauthenticated remote attackers to ex

CVE-2020-10382 HIGH
8.8 Apr 14

An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.5.0. Rat

CVE-2026-10521 HIGH
8.6 Jun 23

Privileged remote modification of critical program parameters in MB connect line mbCONNECT24 and mymbCONNECT24 allows au

CVE-2024-45273 HIGH
7.8 Oct 15

An unauthenticated local attacker can decrypt the devices config file and therefore compromise the device due to a weak

CVE-2020-10384 HIGH
7.8 Apr 14

An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.1. Rat

CVE-2026-33616 HIGH
7.5 Apr 02

Blind SQL injection in MB Connect Line mbCONNECT24 and mymbCONNECT24 allows unauthenticated remote attackers to extract

CVE-2026-33614 HIGH
7.5 Apr 02

SQL injection in MB Connect Line's mbCONNECT24 and mymbCONNECT24 products allows unauthenticated remote attackers to ext

CVE-2024-45272 HIGH
7.5 Oct 15

An unauthenticated remote attacker can perform a brute-force attack on the credentials of the remote service portal with

CVE-2021-34580 HIGH
7.5 Oct 27

In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind o

CVE-2021-34575 HIGH
7.5 Aug 02

In MB connect line mymbCONNECT24, mbCONNECT24 in versions <= 2.8.0 an unauthenticated user can enumerate valid users by

CVE-2026-33613 HIGH
7.2 Apr 02

Remote code execution in MB Connect Line mbCONNECT24 and mymbCONNECT24 allows high-privileged authenticated attackers to

Share

CVE-2023-0985 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy