CVE-2023-31240

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-31240
Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. OvrC cloud contains a hidden superuser account accessible through hard-coded credentials.

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01 Third Party Advisory US Government Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01 Third Party Advisory US Government Resource
https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-r.pdf Release Notes
https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-r.pdf Release Notes
Configurations

Configuration 1 (hide)

cpe:2.3:a:snapone:orvc:*:*:*:*:*:pro:*:*
History

09 Dec 2024, 18:15

Type Values Removed Values Added
CWE CWE-798 CWE-1391
Summary Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. OvrC cloud contains a hidden superuser account accessible through hard-coded credentials. Snap One OvrC Pro versions prior to 7.2 have their own locally running web server accessible both from the local network and remotely. OvrC cloud contains a hidden superuser account accessible through hard-coded credentials.
References (MISC) https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-r.pdf - Release Notes () https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-r.pdf - Release Notes
References (MISC) https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01 - Third Party Advisory, US Government Resource () https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01 - Third Party Advisory, US Government Resource

31 May 2023, 14:45

Type Values Removed Values Added
CPE cpe:2.3:a:snapone:orvc:*:*:*:*:*:pro:*:*
First Time Snapone
Snapone orvc
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
References (MISC) https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-r.pdf - (MISC) https://www.control4.com/docs/product/ovrc-software/release-notes/english/latest/ovrc-software-release-notes-rev-r.pdf - Release Notes
References (MISC) https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01 - (MISC) https://www.cisa.gov/news-events/ics-advisories/icsa-23-136-01 - Third Party Advisory, US Government Resource

22 May 2023, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-05-22 20:15

Updated : 2024-12-09 18:15

NVD link : CVE-2023-31240

Mitre link : CVE-2023-31240

JSON object : View

Products Affected

snapone

  • orvc
CWE
CWE-1391

Use of Weak Credentials