Skip to main content

Development System CVE-2023-3670

HIGH
Exposure of Resource to Wrong Sphere (CWE-668)
2023-07-28 info@cert.vde.com
7.3
CVSS 3.1 · Vendor: cert
Share

Severity by source

Vendor (cert) PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from Vendor (cert) · only source for this CVE.

CVSS VectorVendor: cert

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 28, 2023 - 08:15 cve.org
HIGH 7.3

DescriptionCVE.org

In CODESYS Development System 3.5.9.0 to 3.5.17.0 and CODESYS Scripting 4.0.0.0 to 4.1.0.0 unsafe directory permissions would allow an attacker with local access to the workstation to place potentially harmful and disguised scripts that could be executed by legitimate users.

AnalysisAI

In CODESYS Development System 3.5.9.0 to 3.5.17.0 and CODESYS Scripting 4.0.0.0 to 4.1.0.0 unsafe directory permissions would allow an attacker with local access to the workstation to place. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Exposure of Resource to Wrong Sphere (CWE-668), which allows attackers to access resources from an unintended security context. In CODESYS Development System 3.5.9.0 to 3.5.17.0 and CODESYS Scripting 4.0.0.0 to 4.1.0.0 unsafe directory permissions would allow an attacker with local access to the workstation to place potentially harmful and disguised scripts that could be executed by legitimate users. Affected products include: Codesys Development System, Codesys Scripting.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement proper access controls, validate resource access permissions, use security boundaries.

CVE-2021-21866 HIGH POC
7.8 Aug 02

A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality o

CVE-2021-21864 HIGH POC
7.8 Aug 02

A unsafe deserialization vulnerability exists in the ComponentModel ComponentManager.StartupCultureSettings functionalit

CVE-2021-29240 HIGH POC
7.8 May 04

The Package Manager of CODESYS Development System 3 before 3.5.17.0 does not check the validity of packages before insta

CVE-2019-9010 CRITICAL
9.8 Aug 15

An issue was discovered in 3S-Smart CODESYS V3 products. Rated critical severity (CVSS 9.8), this vulnerability is remot

CVE-2023-3663 HIGH
8.8 Aug 03

In CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20 a missing integrity check might allow an unau

CVE-2019-9013 HIGH
8.8 Aug 15

An issue was discovered in 3S-Smart CODESYS V3 products. Rated high severity (CVSS 8.8), this vulnerability is no authen

CVE-2022-22515 HIGH
8.1 Apr 07

A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vuln

CVE-2022-22516 HIGH
7.8 Apr 07

The SysDrv3S driver in the CODESYS Control runtime system on Microsoft Windows allows any system user to read and write

CVE-2021-21863 HIGH
7.8 Aug 05

A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile() functionality of CODESYS GmbH COD

CVE-2021-21865 HIGH
7.8 Aug 02

A unsafe deserialization vulnerability exists in the PackageManagement.plugin ExtensionMethods.Clone() functionality of

CVE-2021-29239 HIGH
7.8 May 03

CODESYS Development System 3 before 3.5.17.0 displays or executes malicious documents or files embedded in libraries wit

CVE-2021-29241 HIGH
7.5 May 03

CODESYS Gateway 3 before 3.5.16.70 has a NULL pointer dereference that may result in a denial of service (DoS). Rated hi

Share

CVE-2023-3670 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy