CVE-2023-2505 - OpenCVE

The affected products have a CSRF vulnerability that could allow an attacker to execute code and upload malicious files.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Birddog	4k Quad Studio R3 Mini Firmware Mini 4k Quad Firmware A300 Studio R3 Firmware A300 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:birddog:a300_firmware:3.4:*:*:*:*:*:*:*

cpe:2.3:h:birddog:a300:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:birddog:mini_firmware:2.6.2:*:*:*:*:*:*:*

cpe:2.3:h:birddog:mini:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

OR	cpe:2.3:o:birddog:4k_quad_firmware:4.5.181:::::::*
	cpe:2.3:o:birddog:4k_quad_firmware:4.5.196:::::::*

cpe:2.3:h:birddog:4k_quad:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:birddog:studio_r3_firmware:3.6.4:*:*:*:*:*:*:*

cpe:2.3:h:birddog:studio_r3:-:*:*:*:*:*:*:*

References

Link	Resource
https://birddog.tv/downloads/	Product
https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-11	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2023-05-22T21:01:56.372Z

Updated: 2023-05-22T21:05:35.109Z

Reserved: 2023-05-03T15:24:23.176Z

Link: CVE-2023-2505

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-05-22T22:15:10.350

Modified: 2023-05-31T14:01:22.207

Link: CVE-2023-2505

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-2505", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2023-05-03T15:24:23.176Z", "datePublished": "2023-05-22T21:01:56.372Z", "dateUpdated": "2023-05-22T21:05:35.109Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "STUDIO R3", "vendor": "BirdDog", "versions": [{"status": "affected", "version": "3.6.4"}]}, {"defaultStatus": "unaffected", "product": "4K QUAD", "vendor": "BirdDog", "versions": [{"status": "affected", "version": "4.5.181"}, {"status": "affected", "version": "4.5.196"}]}, {"defaultStatus": "unaffected", "product": "MINI", "vendor": "BirdDog", "versions": [{"status": "affected", "version": "2.6.2"}]}, {"defaultStatus": "unaffected", "product": "A300 EYES", "vendor": "BirdDog", "versions": [{"status": "affected", "version": "3.4"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Alan Cao reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p>The affected products have a CSRF vulnerability that could allow an attacker to execute code and upload malicious files.</p><br>\n\n"}], "value": "\nThe affected products have a CSRF vulnerability that could allow an attacker to execute code and upload malicious files.\n\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2023-05-22T21:05:35.109Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-11"}, {"url": "https://birddog.tv/downloads/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">BirdDog has released a firmware patch for this issue and users are encouraged to update their devices by going to BirdDog\u2019s download page </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://birddog.tv/downloads/\">here</a><span style=\"background-color: rgb(255, 255, 255);\">.</span>\n\n<br>"}], "value": "\nBirdDog has released a firmware patch for this issue and users are encouraged to update their devices by going to BirdDog\u2019s download page here https://birddog.tv/downloads/ .\n\n\n"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:birddog:a300_firmware:3.4:*:*:*:*:*:*:*", "matchCriteriaId": "D819BA91-D975-418C-A6BD-5CD06E543541", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:birddog:a300:-:*:*:*:*:*:*:*", "matchCriteriaId": "5473E936-1D6A-49D2-AF43-1F4CFBF5480D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:birddog:mini_firmware:2.6.2:*:*:*:*:*:*:*", "matchCriteriaId": "DF87B2F2-CFD3-4269-A4CF-FAD8A4B531DF", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:birddog:mini:-:*:*:*:*:*:*:*", "matchCriteriaId": "C6A930E2-D903-4E40-8346-2829BAFC9999", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:birddog:4k_quad_firmware:4.5.181:*:*:*:*:*:*:*", "matchCriteriaId": "34578ED0-FEBC-4FEE-893E-54FCF0269C92", "vulnerable": true}, {"criteria": "cpe:2.3:o:birddog:4k_quad_firmware:4.5.196:*:*:*:*:*:*:*", "matchCriteriaId": "0D5B2472-6862-4ED3-A7AB-84F7E9847E46", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:birddog:4k_quad:-:*:*:*:*:*:*:*", "matchCriteriaId": "CE7B5236-6A39-43C7-9EAD-30EB15CCFAE9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:birddog:studio_r3_firmware:3.6.4:*:*:*:*:*:*:*", "matchCriteriaId": "4D3FB3C3-C2EB-41D1-9334-C25EC95FC045", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:birddog:studio_r3:-:*:*:*:*:*:*:*", "matchCriteriaId": "696D1E43-79CB-47A9-BA0A-87699EB4ACF0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "\nThe affected products have a CSRF vulnerability that could allow an attacker to execute code and upload malicious files.\n\n\n\n\n"}], "id": "CVE-2023-2505", "lastModified": "2023-05-31T14:01:22.207", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2023-05-22T22:15:10.350", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Product"], "url": "https://birddog.tv/downloads/"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-11"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}