Severity
High
Analysis Summary
CVE-2023-47279 CVSS:7.5
Delta Electronics InfraSuite Device Master could allow a remote attacker to traverse directories on the system, caused by improper validation of user requests. By using a specially crafted UDP packet, an attacker could send a specially crafted URL request containing “dot dot” sequences (/../) to obtain plaintext credentials or carry out NTLM relaying.
CVE-2023-39226 CVSS:9.8
Delta Electronics InfraSuite Device Master could allow a remote attacker to execute arbitrary code on the system, caused by an exposed dangerous function or method. By sending a specially crafted UDP packet, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2023-47207 CVSS:9.8
Delta Electronics InfraSuite Device Master could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data. An attacker could exploit this vulnerability to execute arbitrary code on the system with local administrator privileges.
CVE-2023-46690 CVSS:8.8
Delta Electronics InfraSuite Device Master could allow a remote authenticated attacker to traverse directories on the system, caused by improper validation of user requests. An attacker could send a specially crafted URL request containing “dot dot” sequences (/../) to write any file to any location on the filesystem.
Impact
- Information Theft
- Code Execution
Indicators Of Compromise
CVE
- CVE-2023-47279
- CVE-2023-39226
- CVE-2023-47207
- CVE-2023-46690
Affected Vendors
Delta Electronics
Affected Products
- Delta Electronics InfraSuite Device Master 1.0.0
- Delta Electronics InfraSuite Device Master 1.0.6
Remediation
Upgrade to the latest version of InfraSuite Device Master, available from the Delta Electronics Web site.