CVE-2023-46388

LOYTEC electronics GmbH LINX-212 and LINX-151 devices (all versions) are vulnerable to Insecure Permissions via dpal_config.zml file. This vulnerability allows remote attackers to disclose smtp client account credentials and bypass email authentication.

Weakness

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Affected Software

Name	Vendor	Start Version	End Version
Linx-212_firmware	Loytec	6.2.4 (including)	6.2.4 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/37.html

References

http://packetstormsecurity.com/files/175952/Loytec-L-INX-Automation-Servers-Information-Disclosure-Cleartext-Secrets.html
http://seclists.org/fulldisclosure/2023/Nov/7
https://www.cisa.gov/news-events/ics-advisories/icsa-24-247-01
https://www.txone.com/blog/ten-unpatched-vulnerabilities-in-building-automation-products-identified-by-txone-networks/
http://packetstormsecurity.com/files/175952/Loytec-L-INX-Automation-Servers-Information-Disclosure-Cleartext-Secrets.html
http://seclists.org/fulldisclosure/2023/Nov/7
https://www.txone.com/blog/ten-unpatched-vulnerabilities-in-building-automation-products-identified-by-txone-networks/

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-46388
CWE	https://cwe.mitre.org/data/definitions/312.html

Cleartext Storage of Sensitive Information

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References