CVE-2022-4098 HIGH

CVE-2022-4098: Wiesemann & Theis: Multiple products prone to missing authentication through spoofing

Vendor Wiesemann & Theis
Product Com-Server ++
Weakness CWE-290
Published December 13, 2022
Last update April 14, 2025

CVSS base score

8.0/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Multiple Wiesemann&Theis products of the ComServer Series are prone to an authentication bypass through IP spoofing. After a user logged in to the WBM of the Com-Server an unauthenticated attacker in the same subnet can obtain the session ID and through IP spoofing change arbitrary settings by crafting modified HTTP Get requests. This may result in a complete takeover of the device.

Key dates

02Disclosure timeline

December 13, 2022 CVE published
April 14, 2025 Record updated