CVE-2023-28361

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-28361
A Cross-site WebSocket Hijacking (CSWSH) vulnerability found in UniFi OS 2.5 and earlier allows a malicious actor to access certain confidential information by persuading a UniFi OS user to visit a malicious webpage.Affected Products:Cloud Key Gen2Cloud Key Gen2 PlusUNVRUNVR ProfessionalUDMUDM ProfessionalUDM SEUDRMitigation:Update affected products to UniFi OS 3.0.13 or later.

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://community.ui.com/releases/Security-Advisory-Bulletin-030-030/f9de9e65-585f-4c66-81e9-5d8f54ba66dd Vendor Advisory
https://community.ui.com/releases/Security-Advisory-Bulletin-030-030/f9de9e65-585f-4c66-81e9-5d8f54ba66dd Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:uni:unifi_os:*:*:*:*:*:*:*:*
OR cpe:2.3:h:uni:cloud_key_gen2:-:*:*:*:*:*:*:*
cpe:2.3:h:uni:cloud_key_gen2_plus:-:*:*:*:*:*:*:*
cpe:2.3:h:uni:ubiquiti_networks_unifi_dream_machine:-:*:*:*:*:*:*:*
cpe:2.3:h:uni:ubiquiti_networks_unifi_dream_machine_professional:-:*:*:*:*:*:*:*
cpe:2.3:h:uni:ubiquiti_networks_unifi_dream_machine_se:-:*:*:*:*:*:*:*
cpe:2.3:h:uni:unifi_dream_router:-:*:*:*:*:*:*:*
cpe:2.3:h:uni:unifi_protect_network_video_recorder:-:*:*:*:*:*:*:*
cpe:2.3:h:uni:unifi_protect_network_video_recorder_professional:-:*:*:*:*:*:*:*
History

27 Jan 2025, 17:15

Type Values Removed Values Added
References (MISC) https://community.ui.com/releases/Security-Advisory-Bulletin-030-030/f9de9e65-585f-4c66-81e9-5d8f54ba66dd - Vendor Advisory () https://community.ui.com/releases/Security-Advisory-Bulletin-030-030/f9de9e65-585f-4c66-81e9-5d8f54ba66dd - Vendor Advisory

22 May 2023, 16:42

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5
CWE CWE-352
First Time Uni
Uni cloud Key Gen2 Plus
Uni ubiquiti Networks Unifi Dream Machine
Uni unifi Protect Network Video Recorder Professional
Uni ubiquiti Networks Unifi Dream Machine Professional
Uni unifi Protect Network Video Recorder
Uni ubiquiti Networks Unifi Dream Machine Se
Uni unifi Os
Uni cloud Key Gen2
Uni unifi Dream Router
CPE cpe:2.3:h:uni:ubiquiti_networks_unifi_dream_machine:-:*:*:*:*:*:*:*
cpe:2.3:o:uni:unifi_os:*:*:*:*:*:*:*:*
cpe:2.3:h:uni:unifi_protect_network_video_recorder_professional:-:*:*:*:*:*:*:*
cpe:2.3:h:uni:cloud_key_gen2:-:*:*:*:*:*:*:*
cpe:2.3:h:uni:ubiquiti_networks_unifi_dream_machine_professional:-:*:*:*:*:*:*:*
cpe:2.3:h:uni:cloud_key_gen2_plus:-:*:*:*:*:*:*:*
cpe:2.3:h:uni:unifi_dream_router:-:*:*:*:*:*:*:*
cpe:2.3:h:uni:ubiquiti_networks_unifi_dream_machine_se:-:*:*:*:*:*:*:*
cpe:2.3:h:uni:unifi_protect_network_video_recorder:-:*:*:*:*:*:*:*
References (MISC) https://community.ui.com/releases/Security-Advisory-Bulletin-030-030/f9de9e65-585f-4c66-81e9-5d8f54ba66dd - (MISC) https://community.ui.com/releases/Security-Advisory-Bulletin-030-030/f9de9e65-585f-4c66-81e9-5d8f54ba66dd - Vendor Advisory

11 May 2023, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-05-11 22:15

Updated : 2025-01-27 17:15

NVD link : CVE-2023-28361

Mitre link : CVE-2023-28361

JSON object : View

Products Affected

uni

  • unifi_dream_router
  • unifi_os
  • ubiquiti_networks_unifi_dream_machine_se
  • cloud_key_gen2
  • cloud_key_gen2_plus
  • ubiquiti_networks_unifi_dream_machine_professional
  • unifi_protect_network_video_recorder_professional
  • unifi_protect_network_video_recorder
  • ubiquiti_networks_unifi_dream_machine
CWE
CWE-352

Cross-Site Request Forgery (CSRF)