8.3
CWE
79
Advisory Published
Updated

CVE-2023-34412: Stored XXS vulnerability in mbnet, mbnet.rokey, REX 200 and REX 250

First published: Thu Aug 17 2023(Updated: )

A vulnerability in Red Lion Europe mbNET/mbNET.rokey and Helmholz REX 200 and REX 250 devices with firmware lower 7.3.2 allows an authenticated remote attacker to store an arbitrary JavaScript payload on the diagnosis page of the device. That page is loaded immediately after login in to the device and runs the stored payload, allowing the attacker to read and write browser data and reduce system performance.

Credit: info@cert.vde.com info@cert.vde.com

Affected SoftwareAffected VersionHow to fix
Helmholz Rex 250 Firmware<7.3.2
Helmholz Rex 250
Helmholz Rex 200 Firmware<7.3.2
Helmholz REX 200
Redlion Mbnet.rokey Rkh 210 Firmware<7.3.2
Redlion Mbnet.rokey Rkh 210
Redlion Mbnet.rokey Rkh 216 Firmware<7.3.2
Redlion Mbnet.rokey Rkh 216
Redlion Mbnet.rokey Rkh 235 Firmware<7.3.2
Redlion Mbnet.rokey Rkh 235
Redlion Mbnet.rokey Rkh 259 Firmware<7.3.2
Redlion Mbnet.rokey Rkh 259
Redlion Mbnet Mdh 811 Firmware<7.3.2
Redlion Mbnet Mdh 811
Redlion Mbnet Mdh 850 Firmware<7.3.2
Redlion Mbnet Mdh 850
Redlion Mbnet Mdh 871 Firmware<7.3.2
Redlion Mbnet Mdh 871
Redlion Mbnet Mdh 831 Firmware<7.3.2
Redlion Mbnet Mdh 831
Redlion Mbnet Mdh 855 Firmware<7.3.2
Redlion Mbnet Mdh 855
Redlion Mbnet Mdh 876 Firmware<7.3.2
Redlion Mbnet Mdh 876
Redlion Mbnet Mdh 858 Firmware<7.3.2
Redlion Mbnet Mdh 858
Redlion Mbnet Mdh 816 Firmware<7.3.2
Redlion Mbnet Mdh 816
Redlion Mbnet Mdh 841 Firmware<7.3.2
Redlion Mbnet Mdh 841
Redlion Mbnet Mdh 859 Firmware<7.3.2
Redlion Mbnet Mdh 859
Redlion Mbnet Mdh 835 Firmware<7.3.2
Redlion Mbnet Mdh 835
All of
Helmholz Rex 250 Firmware<7.3.2
Helmholz Rex 250
All of
Helmholz Rex 200 Firmware<7.3.2
Helmholz REX 200
All of
Redlion Mbnet.rokey Rkh 210 Firmware<7.3.2
Redlion Mbnet.rokey Rkh 210
All of
Redlion Mbnet.rokey Rkh 216 Firmware<7.3.2
Redlion Mbnet.rokey Rkh 216
All of
Redlion Mbnet.rokey Rkh 235 Firmware<7.3.2
Redlion Mbnet.rokey Rkh 235
All of
Redlion Mbnet.rokey Rkh 259 Firmware<7.3.2
Redlion Mbnet.rokey Rkh 259
All of
Redlion Mbnet Mdh 811 Firmware<7.3.2
Redlion Mbnet Mdh 811
All of
Redlion Mbnet Mdh 850 Firmware<7.3.2
Redlion Mbnet Mdh 850
All of
Redlion Mbnet Mdh 871 Firmware<7.3.2
Redlion Mbnet Mdh 871
All of
Redlion Mbnet Mdh 831 Firmware<7.3.2
Redlion Mbnet Mdh 831
All of
Redlion Mbnet Mdh 855 Firmware<7.3.2
Redlion Mbnet Mdh 855
All of
Redlion Mbnet Mdh 876 Firmware<7.3.2
Redlion Mbnet Mdh 876
All of
Redlion Mbnet Mdh 858 Firmware<7.3.2
Redlion Mbnet Mdh 858
All of
Redlion Mbnet Mdh 816 Firmware<7.3.2
Redlion Mbnet Mdh 816
All of
Redlion Mbnet Mdh 841 Firmware<7.3.2
Redlion Mbnet Mdh 841
All of
Redlion Mbnet Mdh 859 Firmware<7.3.2
Redlion Mbnet Mdh 859
All of
Redlion Mbnet Mdh 835 Firmware<7.3.2
Redlion Mbnet Mdh 835

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the vulnerability ID for this vulnerability?

    The vulnerability ID for this vulnerability is CVE-2023-34412.

  • What is the severity level of CVE-2023-34412?

    The severity level of CVE-2023-34412 is high.

  • Which devices are affected by CVE-2023-34412?

    Red Lion Europe mbNET/mbNET.rokey and Helmholz REX 200 and REX 250 devices with firmware lower than 7.3.2 are affected by CVE-2023-34412.

  • How can an attacker exploit CVE-2023-34412?

    An authenticated remote attacker can exploit CVE-2023-34412 by storing an arbitrary JavaScript payload on the diagnosis page of the affected devices.

  • How can I mitigate CVE-2023-34412?

    To mitigate CVE-2023-34412, update the firmware of the affected devices to version 7.3.2 or higher.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203