CVE-2023-29114 MEDIUM

CVE-2023-29114: Unauthorized System Log Disclosure in Enel X JuiceBox

Vendor Enel X
Product JuiceBox Pro 3.0 22kW Cellular
Weakness CWE-200 · Info exposure
Published November 5, 2024
Last update November 5, 2024
View on NVD All CVEs

CVSS base score

5.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

System logs could be accessed through web management application due to a lack of access control. An attacker can obtain the following sensitive information: •     Wi-Fi access point credentials to which the EV charger can connect. •     APN web address and credentials. •     IPSEC credentials. •     Web interface access credentials for user and admin accounts. •     JuiceBox system components (software installed, model, firmware version, etc.). •     C2G configuration details. •     Internal IP addresses. •     OTA firmware update configurations (DNS servers). All the credentials are stored in logs in an unencrypted plaintext format.

Key dates

02Disclosure timeline

November 5, 2024 CVE published
November 5, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-39974 Extension - acymailing.com - Exposure of Sensitive Information in AcyMailing Enterprise component for Joomla 6.7.0-8.6.3 CVE-2026-34744 MantisBT authorization bypass allows continued access to self-uploaded attachments on private issues CVE-2024-42486 Cilium vulnerable to information leakage via incorrect ReferenceGrant update logic in Gateway API CVE-2024-0716 Byzoro Smart S150 Management Platform Backup File download.php information disclosure CVE-2023-32082 etcd key name can be accessed via LeaseTimeToLive API