Vulnerability Description
The listed versions of Nexx Smart Home devices use a WebSocket server that does not validate if the bearer token in the Authorization header belongs to the device attempting to associate. This could allow any authorized user to receive alarm information and signals meant for other devices which leak a deviceId.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Getnexx | Nxal-100 Firmware | <= nxal100v-p1-9-1 |
| Getnexx | Nxal-100 | - |
| Getnexx | Nxg-100B Firmware | <= nxg100bv-p3-4-1 |
| Getnexx | Nxg-100B | - |
| Getnexx | Nxpg-100W Firmware | <= nxpg100cv4-0-0 |
| Getnexx | Nxpg-100W | - |
| Getnexx | Nxg-200 Firmware | <= nxg200v-p3-4-1 |
| Getnexx | Nxg-200 | - |
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01Third Party AdvisoryUS Government Resource
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2023-1751?
CVE-2023-1751 is a vulnerability with a CVSS score of 7.5 (HIGH). The listed versions of Nexx Smart Home devices use a WebSocket server that does not validate if the bearer token in the Authorization header belongs to the device attempting to associate. This could a...
How severe is CVE-2023-1751?
CVE-2023-1751 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-1751?
Check the references section above for vendor advisories and patch information. Affected products include: Getnexx Nxal-100 Firmware, Getnexx Nxal-100, Getnexx Nxg-100B Firmware, Getnexx Nxg-100B, Getnexx Nxpg-100W Firmware.