Vulnerability Description
The Android Client application, when enrolled with the define method 1(the user manually inserts the server ip address), use HTTP protocol to retrieve sensitive information (ip address and credentials to connect to a remote MQTT broker entity) instead of HTTPS and this feature is not configurable by the user.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Boschrexroth | Ctrlx Hmi Web Panel Wr2107 Firmware | All versions |
| Boschrexroth | Ctrlx Hmi Web Panel Wr2107 | - |
| Boschrexroth | Ctrlx Hmi Web Panel Wr2110 Firmware | All versions |
| Boschrexroth | Ctrlx Hmi Web Panel Wr2110 | - |
| Boschrexroth | Ctrlx Hmi Web Panel Wr2115 Firmware | All versions |
| Boschrexroth | Ctrlx Hmi Web Panel Wr2115 | - |
Related Weaknesses (CWE)
References
- https://psirt.bosch.com/security-advisories/BOSCH-SA-175607.htmlMitigationVendor Advisory
- https://psirt.bosch.com/security-advisories/BOSCH-SA-175607.htmlMitigationVendor Advisory
FAQ
What is CVE-2023-45220?
CVE-2023-45220 is a vulnerability with a CVSS score of 8.8 (HIGH). The Android Client application, when enrolled with the define method 1(the user manually inserts the server ip address), use HTTP protocol to retrieve sensitive information (ip address and credential...
How severe is CVE-2023-45220?
CVE-2023-45220 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-45220?
Check the references section above for vendor advisories and patch information. Affected products include: Boschrexroth Ctrlx Hmi Web Panel Wr2107 Firmware, Boschrexroth Ctrlx Hmi Web Panel Wr2107, Boschrexroth Ctrlx Hmi Web Panel Wr2110 Firmware, Boschrexroth Ctrlx Hmi Web Panel Wr2110, Boschrexroth Ctrlx Hmi Web Panel Wr2115 Firmware.