Vulnerability Details CVE-2023-36622
The websocket configuration endpoint of the Loxone Miniserver Go Gen.2 before 14.1.5.9 allows remote authenticated administrators to inject arbitrary OS commands via the timezone parameter.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 50.3%
CVSS Severity
CVSS v3 Score 7.2
References
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-012.txt
- https://www.syss.de/pentest-blog/root-zugang-zu-smarthome-server-loxone-miniserver-go-gen-2-syss-2023-004/-012/-013
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-012.txt
- https://www.syss.de/pentest-blog/root-zugang-zu-smarthome-server-loxone-miniserver-go-gen-2-syss-2023-004/-012/-013
Products affected by CVE-2023-36622
-
cpe:2.3:h:loxone:miniserver_go_gen_2:-
-
cpe:2.3:o:loxone:miniserver_go_gen_2_firmware:-