Vuforia Studio
CVE-2023-29152
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
By changing the filename parameter in the request, an attacker could delete any file with the permissions of the Vuforia server account.
AnalysisAI
By changing the filename parameter in the request, an attacker could delete any file with the permissions of the Vuforia server account. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-285. By changing the filename parameter in the request, an attacker could delete any file with the permissions of the Vuforia server account. Affected products include: Ptc Vuforia Studio.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Vuforia Studio
View allA user could use the “Upload Resource” functionality to upload files to any location on the disk. Rated critical severit
PTC Vuforia Studio does not require a token; this could allow an attacker with local access to perform a cross-site requ
The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication.
Before importing a project into Vuforia, a user could modify the “resourceDirectory” attribute in the appConfig.json fil
An attacker with local access to the machine could record the traffic, which could allow them to resend requests without
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today