Vulnerability Description
The websocket configuration endpoint of the Loxone Miniserver Go Gen.2 before 14.1.5.9 allows remote authenticated administrators to inject arbitrary OS commands via the timezone parameter.
CVSS Score
7.2
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Loxone | Miniserver Go Gen 2 Firmware | < 14.1.5.9 |
| Loxone | Miniserver Go Gen 2 | - |
Related Weaknesses (CWE)
References
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-012.tExploitThird Party Advisory
- https://www.syss.de/pentest-blog/root-zugang-zu-smarthome-server-loxone-miniservThird Party Advisory
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-012.tExploitThird Party Advisory
- https://www.syss.de/pentest-blog/root-zugang-zu-smarthome-server-loxone-miniservThird Party Advisory
FAQ
What is CVE-2023-36622?
CVE-2023-36622 is a vulnerability with a CVSS score of 7.2 (HIGH). The websocket configuration endpoint of the Loxone Miniserver Go Gen.2 before 14.1.5.9 allows remote authenticated administrators to inject arbitrary OS commands via the timezone parameter.
How severe is CVE-2023-36622?
CVE-2023-36622 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-36622?
Check the references section above for vendor advisories and patch information. Affected products include: Loxone Miniserver Go Gen 2 Firmware, Loxone Miniserver Go Gen 2.