CVE-2023-28900 MEDIUM

CVE-2023-28900: Nickname Disclosure on the Backend Automotive Server

Vendor Škoda Auto

Product Škoda Connect

Weakness CWE-200 · Info exposure

Published January 18, 2024

Last update June 17, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing to obtain nicknames and other user identifiers of Skoda Connect service users by specifying an arbitrary vehicle VIN number.

Key dates

02Disclosure timeline

January 18, 2024 CVE published

June 17, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-28900

Related vulnerabilities

04Related CVE

CVE-2026-32620 Discourse: Missing post-level authorization allows whisper metadata disclosure CVE-2022-0854 CVE-2025-14286 Tenda AC9 Configuration File DownloadCfg.jpg information disclosure CVE-2022-40696 WordPress Advanced Custom Fields Plugin 3.1.1-6.0.2 is vulnerable to Sensitive Data Exposure CVE-2024-42339 CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor