Security vulnerabilities identified in Vuforia Studio
Applies To
- Vuforia Studio 1.0 to 9.8.0
Description
-
Plaintext web login basic Auth
CVSS 3.1 Score: 3.7 (Low)
CVSS 3.1 Vector String: /AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-522: Insufficiently Protected Credentials
Common Vulnerabilities and Exposures: CVE-2023-29168
Researcher Attribution: Lockheed Martin - Red Team
-
HTTP Authorization header and session cookies ignored
CVSS 3.1 Score: 1.8 (Low)
CVSS 3.1 Vector String: /AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
CWE: CWE-285: Improper Authorization
Common Vulnerabilities and Exposures: CVE-2023-24476
Researcher Attribution: Lockheed Martin - Red Team
-
Arbitrary File Upload
CVSS 3.1 Score: 8.0 (High)
CVSS 3.1 Vector String: /AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-434: Unrestricted Upload of File with Dangerous Type
Common Vulnerabilities and Exposures: CVE-2023-27881
Researcher Attribution: Lockheed Martin - Red Team
-
Arbitrary File Delete
CVSS 3.1 Score: 6.2 (Medium)
CVSS 3.1 Vector String: /AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:N/A:H
CWE: CWE-285: Improper Authorization
Common Vulnerabilities and Exposures: CVE-2023-29152
Researcher Attribution: Lockheed Martin - Red Team
-
Modifiable Resource Director
CVSS 3.1 Score: 6.2 (Medium)
CVSS 3.1 Vector String: /AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal).
Common Vulnerabilities and Exposures: CVE-2023-29502
Researcher Attribution: Lockheed Martin - Red Team
-
No CSRF Token
CVSS 3.1 Score: 5.7 (Medium)
CVSS 3.1 Vector String: /AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N
CWE: CWE-352: Cross-Site Request Forgery (CSRF)
Common Vulnerabilities and Exposures: CVE-2023-31200
Researcher Attribution: Lockheed Martin - Red Team
Note that PTC has no indication nor has been made aware that any of these vulnerabilities has or is being exploited