Vuforia Studio
CVE-2023-29502
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Before importing a project into Vuforia, a user could modify the “resourceDirectory” attribute in the appConfig.json file to be a different path.
AnalysisAI
Before importing a project into Vuforia, a user could modify the “resourceDirectory” attribute in the appConfig.json file to be a different path. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. Before importing a project into Vuforia, a user could modify the “resourceDirectory” attribute in the appConfig.json file to be a different path. Affected products include: Ptc Vuforia Studio.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.
More in Vuforia Studio
View allA user could use the “Upload Resource” functionality to upload files to any location on the disk. Rated critical severit
By changing the filename parameter in the request, an attacker could delete any file with the permissions of the Vuforia
PTC Vuforia Studio does not require a token; this could allow an attacker with local access to perform a cross-site requ
The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication.
An attacker with local access to the machine could record the traffic, which could allow them to resend requests without
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today