CVE-2023-1749

Published: Apr 4, 2023Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

The listed versions of Nexx Smart Home devices lack proper access control when executing actions. An attacker with a valid NexxHome deviceId could send API requests that the affected devices would execute.

Affected (4)

Products: Getnexx: Nxal 100 Firmware, Nxg 100b Firmware, Nxpg 100w Firmware, Nxg 200 Firmware

4 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Getnexx Nxal 100 Firmware	Up to nxal100v-p1-9-1

Running on/with	Platform Versions
Getnexx Nxal 100	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Getnexx Nxg 100b Firmware	Up to nxg100bv-p3-4-1

Running on/with	Platform Versions
Getnexx Nxg 100b	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Getnexx Nxpg 100w Firmware	Up to nxpg100cv4-0-0

Running on/with	Platform Versions
Getnexx Nxpg 100w	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Getnexx Nxg 200 Firmware	Up to nxg200v-p3-4-1

Running on/with	Platform Versions
Getnexx Nxg 200	All versions

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01

Source: ics-cert@hq.dhs.gov

Third Party AdvisoryUS Government Resource

https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

Timeline

No history available yet.