CVE-2023-45598

Vulnerability

A CWE-425 Direct Request ('Forced Browsing') vulnerability exists in the "measure" functionality of the AiLux imx6 bundle web application. The application fails to enforce proper access controls on specific URLs, allowing an unauthenticated remote attacker to directly request and retrieve confidential measure information. This issue affects all imx6 bundle versions below imx6_1.0.7-2. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint without any authentication. No special network position, user interaction, or prior knowledge is required; the attacker only needs network access to the device. The forced browsing attack directly accesses the measure functionality URLs that lack proper access controls. [1]

Impact

Successful exploitation allows the attacker to read confidential measure information from the device. The impact is limited to information disclosure (confidentiality) with low severity (CVSS 5.3). No integrity or availability impact is reported. The attacker gains no further privileges beyond accessing the measure data. [1]

Mitigation

The vulnerability is fixed in imx6 bundle version imx6_1.0.7-2. Users should update to this version or later. No workarounds are mentioned in the advisory. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1]