Article - CS392399

Security vulnerabilities identified in Vuforia Studio

Modified: 09-May-2023   


Applies To

  • Vuforia Studio 1.0 to 9.8.0

Description

  1. Plaintext web login basic Auth 

CVSS 3.1 Score: 3.7 (Low) 

CVSS 3.1 Vector String: /AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 

CWE: CWE-522: Insufficiently Protected Credentials 

Common Vulnerabilities and Exposures: CVE-2023-29168 

Researcher Attribution: Lockheed Martin - Red Team 

 

  1. HTTP Authorization header and session cookies ignored 

CVSS 3.1 Score: 1.8 (Low) 

CVSS 3.1 Vector String: /AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N 

CWE: CWE-285: Improper Authorization 

Common Vulnerabilities and Exposures: CVE-2023-24476 

Researcher Attribution: Lockheed Martin - Red Team 

 

  1. Arbitrary File Upload 

CVSS 3.1 Score: 8.0 (High) 

CVSS 3.1 Vector String: /AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H 

CWE: CWE-434: Unrestricted Upload of File with Dangerous Type 

Common Vulnerabilities and Exposures: CVE-2023-27881 

Researcher Attribution: Lockheed Martin - Red Team 

 

  1. Arbitrary File Delete 

CVSS 3.1 Score: 6.2 (Medium) 

CVSS 3.1 Vector String: /AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:N/A:H 

CWE: CWE-285: Improper Authorization 

Common Vulnerabilities and Exposures: CVE-2023-29152 

Researcher Attribution: Lockheed Martin - Red Team 

 

  1. Modifiable Resource Director 

CVSS 3.1 Score: 6.2 (Medium) 

CVSS 3.1 Vector String: /AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N 

CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal). 

Common Vulnerabilities and Exposures: CVE-2023-29502 

Researcher Attribution: Lockheed Martin - Red Team 

 

  1. No CSRF Token 

CVSS 3.1 Score: 5.7 (Medium) 

CVSS 3.1 Vector String: /AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N 

CWE: CWE-352: Cross-Site Request Forgery (CSRF) 

Common Vulnerabilities and Exposures: CVE-2023-31200 

Researcher Attribution: Lockheed Martin - Red Team 

 

Note that PTC has no indication nor has been made aware that any of these vulnerabilities has or is being exploited 

This is a printer-friendly version of Article 392399 and may be out of date. For the latest version click CS392399