We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-5935

Missing authentication for local web interface in Arc before v1.6.0



Description

When configuring Arc (e.g. during the first setup), a local web interface is provided to ease the configuration process. Such web interface lacks authentication and may thus be abused by a local attacker or malware running on the machine itself. A malicious local user or process, during a window of opportunity when the local web interface is active, may be able to extract sensitive information or change Arc's configuration. This could also lead to arbitrary code execution if a malicious update package is installed.

Reserved 2023-11-02 | Published 2024-05-15 | Updated 2024-08-02 | Assigner Nozomi


HIGH: 7.4CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

HIGH: 7.3CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-306 Missing Authentication for Critical Function

Product status

Default status
unaffected

Any version before 1.6.0
affected

Credits

This issue was found by Diego Giubertoni of Nozomi Networks Security Research team during an internal penetration testing session. finder

References

security.nozominetworks.com/NN-2023:13-01

cve.org (CVE-2023-5935)

nvd.nist.gov (CVE-2023-5935)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-5935

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.