CWE-767
Access to Critical Private Variable via Public Method
BaseIncomplete
Description
The product defines a public method that reads or modifies a private variable.
If an attacker modifies the variable to contain unexpected values, this could violate assumptions from other parts of the code. Additionally, if an attacker can read the private variable, it may expose sensitive information or make it easier to launch further attacks.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (2)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-8380 | Hig | 0.51 | 7.3 | 0.11 | Apr 5, 2018 | The web server in Phoenix Contact ILC PLCs allows access to read and write PLC variables without authentication. | ||
| CVE-2024-34162 | — | Med | 0.34 | 5.3 | 0.01 | Nov 26, 2024 | The web interface of the affected devices is designed to hide the LDAP credentials even for administrative users. But configuring LDAP authentication to "SIMPLE", the device communicates with the LDAP server in clear-text. The LDAP password can be retrieved from this clear-text… |
- risk 0.51cvss 7.3epss 0.11
The web server in Phoenix Contact ILC PLCs allows access to read and write PLC variables without authentication.
- risk 0.34cvss 5.3epss 0.01
The web interface of the affected devices is designed to hide the LDAP credentials even for administrative users. But configuring LDAP authentication to "SIMPLE", the device communicates with the LDAP server in clear-text. The LDAP password can be retrieved from this clear-text…