ioLogik 4000 Series (ioLogik E4200) firmware v1.6 and prior is affected by multiple web server vulnerabilities and an improper access control vulnerability.
Web Server Vulnerabilities
The web server vulnerabilities arise from improper configuration or implementation of HTTP headers. Attackers could exploit the vulnerabilities to compromise the web service.
Improper Access Control Vulnerability
The improper access control vulnerability results from improper control of an existing unauthorized service. Attackers could exploit the vulnerability by connecting to the unauthorized service. Successful exploitation of the vulnerability could lead to unauthorized access.
The identified vulnerability types and potential impacts are shown below:
Item |
Vulnerability Type |
Impact |
1 |
Existing unauthorized service
(CWE-284 Improper Access Control)
CVE-2023-4227
|
Attackers can gain unauthorized access |
2 |
Session cookie attributes not set properly
(CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag)
CVE-2023-4228
|
Attackers can compromise the web service |
3 |
Session headers not implemented.
(CWE-1021: Improper Restriction of Rendered UI Layers or Frames)
CVE-2023-4229
|
Attackers can compromise the web service |
4 |
Server banner information disclosure
(CWE-200: Exposure of Sensitive Information to an Unauthorized Actor)
CVE-2023-4230
|
Attackers can compromise the web service |