Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-5935

Summary
Assigner-Nozomi
Assigner Org ID-bec8025f-a851-46e5-b3a3-058e6b0aa23c
Published At-15 May, 2024 | 16:02
Updated At-02 Aug, 2024 | 08:14
Rejected At-
Credits

Missing authentication for local web interface in Arc before v1.6.0

When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Nozomi
Assigner Org ID:bec8025f-a851-46e5-b3a3-058e6b0aa23c
Published At:15 May, 2024 | 16:02
Updated At:02 Aug, 2024 | 08:14
Rejected At:
▼CVE Numbering Authority (CNA)
Missing authentication for local web interface in Arc before v1.6.0

When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed.

Affected Products
Vendor
Nozomi Networks
Product
Arc
Default Status
unaffected
Versions
Affected
  • From 0 before 1.6.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-306CWE-306 Missing Authentication for Critical Function
Type: CWE
CWE ID: CWE-306
Description: CWE-306 Missing Authentication for Critical Function
Metrics
VersionBase scoreBase severityVector
3.17.4HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.07.3HIGH
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 7.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 4.0
Base score: 7.3
Base severity: HIGH
Vector:
CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-212CAPEC-212 Functionality Misuse
CAPEC ID: CAPEC-212
Description: CAPEC-212 Functionality Misuse
Solutions

Upgrade to v1.6.0 or later.

Configurations
Workarounds
Exploits
Credits
finder
This issue was found by Diego Giubertoni of Nozomi Networks Security Research team during an internal penetration testing session.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.nozominetworks.com/NN-2023:13-01
N/A
Hyperlink: https://security.nozominetworks.com/NN-2023:13-01
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
nozominetworks
Product
arc
CPEs
  • cpe:2.3:a:nozominetworks:arc:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 before 1.6.0 (semver)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.nozominetworks.com/NN-2023:13-01
x_transferred
Hyperlink: https://security.nozominetworks.com/NN-2023:13-01
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:prodsec@nozominetworks.com
Published At:15 May, 2024 | 16:15
Updated At:28 May, 2024 | 13:15

When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.4HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-306Secondaryprodsec@nozominetworks.com
CWE ID: CWE-306
Type: Secondary
Source: prodsec@nozominetworks.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://security.nozominetworks.com/NN-2023:13-01prodsec@nozominetworks.com
N/A
Hyperlink: https://security.nozominetworks.com/NN-2023:13-01
Source: prodsec@nozominetworks.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2023-5253
Matching Score-6
Assigner-Nozomi Networks Inc.
ShareView Details
Matching Score-6
Assigner-Nozomi Networks Inc.
CVSS Score-6.3||MEDIUM
EPSS-0.24% / 47.38%
||
7 Day CHG~0.00%
Published-15 Jan, 2024 | 10:53
Updated-17 Jun, 2025 | 21:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Check Point IoT integration: WebSocket returns assets data without authentication in Guardian/CMC before 23.3.0

A missing authentication check in the WebSocket channel used for the Check Point IoT integration in Nozomi Networks Guardian and CMC, may allow an unauthenticated attacker to obtain assets data without authentication. Malicious unauthenticated users with knowledge on the underlying system may be able to extract limited asset information.

Action-Not Available
Vendor-nozominetworksNozomi Networks
Product-cmcguardianGuardianCMC
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2021-21535
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-7.4||HIGH
EPSS-0.03% / 8.09%
||
7 Day CHG~0.00%
Published-30 Apr, 2021 | 17:40
Updated-16 Sep, 2024 | 23:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Hybrid Client versions prior to 1.5 contain a missing authentication for a critical function vulnerability. A local unauthenticated attacker may exploit this vulnerability in order to gain root level access to the system.

Action-Not Available
Vendor-Dell Inc.
Product-hybrid_clientDell Hybrid Client (DHC)
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2025-7679
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
ShareView Details
Matching Score-4
Assigner-Asea Brown Boveri Ltd. (ABB)
CVSS Score-8.9||HIGH
EPSS-0.02% / 3.16%
||
7 Day CHG~0.00%
Published-11 Aug, 2025 | 18:36
Updated-12 Aug, 2025 | 14:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Session ID Basic Auth Bypass

Missing Authentication for Critical Function vulnerability in ABB Aspect.This issue affects Aspect: All versions.

Action-Not Available
Vendor-ABB
Product-Aspect
CWE ID-CWE-306
Missing Authentication for Critical Function
Details not found