Configuration Backup Missing Authentication Information Disclosure Vulnerability
CVE-2024-5947

6.5MEDIUM

Key Information:

Vendor
Deep Sea Electronics
Status
Dse855
Vendor
CVE Published:
13 June 2024

Badges

👾 Exploit Exists🟣 EPSS 61%

Summary

Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the web-based UI. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-22679.

Affected Version(s)

DSE855 1.1.0

References

https://www.zerodayinitiative.com/advisories/ZDI-24-671/
x_research-advisory

EPSS Score

61% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-5947 : Configuration Backup Missing Authentication Information Disclosure Vulnerability | SecurityVulnerability.io