VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 5, 2024· Updated Oct 17, 2024

CVE-2023-45596

CVE-2023-45596

Description

A CWE-425 “Direct Request ('Forced Browsing')” vulnerability in the “file_configuration” functionality of the web application allows a remote unauthenticated attacker to access confidential configuration files. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A forced browsing vulnerability in AiLux imx6 bundle's file_configuration allows unauthenticated remote attackers to access confidential configuration files.

Vulnerability

A CWE-425 "Direct Request ('Forced Browsing')" vulnerability exists in the file_configuration functionality of the AiLux imx6 bundle. This issue affects all versions below imx6_1.0.7-2. The vulnerability allows an attacker to directly request configuration files without proper access controls, bypassing intended restrictions [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP request to the file_configuration endpoint. No authentication, user interaction, or special network position is required; the attacker only needs network access to the device [1].

Impact

Successful exploitation results in the disclosure of confidential configuration files. The impact is limited to confidentiality (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), with no impact on integrity or availability. The attacker gains access to sensitive device configuration data [1].

Mitigation

Update the AiLux imx6 bundle to version imx6_1.0.7-2 or later. No workarounds are documented. The fix is available and addresses the forced browsing vulnerability [1].

References
  1. CVE-2023-45596 | Nozomi Networks Labs

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.