Vuforia Studio
CVE-2023-29168
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication.
AnalysisAI
The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Insufficiently Protected Credentials (CWE-522), which allows attackers to obtain user credentials due to weak protection mechanisms. The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication. Affected products include: Ptc Vuforia Studio.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Hash passwords with strong algorithms (bcrypt, argon2), encrypt credentials in transit and at rest, never log credentials.
More in Vuforia Studio
View allA user could use the “Upload Resource” functionality to upload files to any location on the disk. Rated critical severit
By changing the filename parameter in the request, an attacker could delete any file with the permissions of the Vuforia
PTC Vuforia Studio does not require a token; this could allow an attacker with local access to perform a cross-site requ
Before importing a project into Vuforia, a user could modify the “resourceDirectory” attribute in the appConfig.json fil
An attacker with local access to the machine could record the traffic, which could allow them to resend requests without
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today