{ "document": { "acknowledgments": [ { "organization": "CERT@VDE", "summary": "coordination", "urls": [ "https://certvde.com" ] }, { "organization": "White Oak Security", "names": [ "Brett Dewall" ], "summary": "reporting" } ], "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-GB", "notes": [ { "category": "summary", "text": "An attacker with privileges can enumerate projects and usernames through an iterative process, by making a request to a specific endpoint.", "title": "Summary" }, { "category": "description", "text": "The vulnerability might result in disclosure of sensitive information.", "title": "Impact" }, { "category": "description", "text": "A patch for the WAGO Smart Designer will be available with version 2.34.", "title": "Remediation" } ], "publisher": { "contact_details": "psirt@wago.com", "name": "WAGO GmbH & Co. KG", "namespace": "https://www.wago.com/psirt", "category": "vendor" }, "references": [ { "category": "self", "summary": "VDE-2023-045: Wago: Vulnerability in Smart Designer Web-Application - HTML", "url": "https://certvde.com/en/advisories/VDE-2023-045/" }, { "category": "self", "summary": "VDE-2023-045: Wago: Vulnerability in Smart Designer Web-Application - CSAF", "url": "https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2023/vde-2023-045.json" }, { "category": "external", "summary": "Vendor PSIRT", "url": "https://www.wago.com/psirt" }, { "category": "external", "summary": "CERT@VDE Security Advisories for WAGO GmbH & Co. KG", "url": "https://certvde.com/en/advisories/vendor/wago/" } ], "title": "Wago: Vulnerability in Smart Designer Web-Application", "tracking": { "aliases": [ "VDE-2023-045" ], "current_release_date": "2023-12-05T07:00:00.000Z", "generator": { "date": "2025-04-30T14:13:55.503Z", "engine": { "name": "Secvisogram", "version": "2.5.24" } }, "id": "VDE-2023-045", "initial_release_date": "2023-12-05T07:00:00.000Z", "revision_history": [ { "date": "2023-12-05T07:00:00.000Z", "number": "1", "summary": "Initial revision." } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "name": "Vendor", "category": "vendor", "branches": [ { "name": "Software", "category": "product_family", "branches": [ { "name": "Smart Designer", "category": "product_name", "branches": [ { "name": "<=2.33.1", "category": "product_version_range", "product": { "name": "Smart Designer <=2.33.1", "product_id": "CSAFPID-51001" } }, { "name": "2.34", "category": "product_version", "product": { "name": "Smart Designer 2.34", "product_id": "CSAFPID-52001" } } ] } ] } ] } ] }, "vulnerabilities": [ { "cve": "CVE-2023-5872", "title": "CVE-2023-5872", "cwe": { "id": "CWE-203", "name": "Observable Discrepancy" }, "notes": [ { "text": "In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint.", "category": "description", "title": "Vulnerability Description" } ], "product_status": { "fixed": [ "CSAFPID-52001" ], "known_affected": [ "CSAFPID-51001" ] }, "remediations": [ { "category": "vendor_fix", "details": "A patch for the WAGO Smart Designer will be available with version 2.34.", "product_ids": [ "CSAFPID-51001" ] } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "temporalScore": 4.3, "temporalSeverity": "MEDIUM", "environmentalScore": 4.3, "environmentalSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE" }, "products": [ "CSAFPID-51001" ] } ] } ] }