CVE-2023-5872
Information Disclosure in Wago Smart Designer via Endpoint Enumeration
Publication date: 2026-04-16
Last updated on: 2026-04-16
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wago | gmbh_and_co_kg | to 2.33.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-203 | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-5872 is a vulnerability in WAGO GmbH & Co.KG's Smart Designer web application, affecting versions up to 2.33.1.
It allows a low-privileged remote attacker to enumerate projects and usernames by making iterative requests to a specific endpoint in the application.
This vulnerability is classified under CWE-203 (Observable Discrepancy) and has a CVSS 3.1 base score of 4.3, indicating medium severity with limited confidentiality impact and no impact on integrity or availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a low-privileged remote attacker to enumerate projects and usernames, potentially leading to the disclosure of sensitive information.
Such information disclosure could impact compliance with standards and regulations that require protection of personal or sensitive data, such as GDPR or HIPAA, by exposing user-related data.
However, the vulnerability has a low confidentiality impact and does not affect integrity or availability, which may limit the overall compliance risk.
Remediation by upgrading to Smart Designer version 2.34 is recommended to address this issue and reduce compliance risks.
How can this vulnerability impact me? :
The primary impact of this vulnerability is the potential disclosure of sensitive information, specifically the enumeration of projects and usernames.
An attacker with low privileges can remotely gather this information without user interaction, which could be used for further targeted attacks or reconnaissance.
However, the vulnerability does not affect data integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for iterative requests to a specific endpoint in the WAGO Smart Designer web application that enumerate projects and usernames.
Network detection could involve capturing and analyzing HTTP requests to identify repeated access patterns targeting the vulnerable endpoint.
Specific commands are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade WAGO Smart Designer to version 2.34, which includes a patch addressing this vulnerability.