CVE-2023-40725 MEDIUM

CVE-2023-40725

Vendor Siemens
Product QMS Automotive
Weakness CWE-209 · Error message info leak
Published September 12, 2023
Last update February 27, 2025

CVSS base score

4.0/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C

What the vulnerability does

01Description

A vulnerability has been identified in QMS Automotive (All versions < V12.39). The affected application returns inconsistent error messages in response to invalid user credentials during login session. This allows an attacker to enumerate usernames, and identify valid usernames.

Key dates

02Disclosure timeline

September 12, 2023 CVE published
February 27, 2025 Record updated