CVE-2023-6949 MEDIUM

CVE-2023-6949

Vendor Dji
Product Mini 3 Pro
Weakness CWE-306 · Missing auth
Published April 2, 2024
Last update February 13, 2025

CVSS base score

5.2/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A Missing Authentication for Critical Function issue affecting the HTTP service running on the DJI Mavic Mini 3 Pro on the standard port 80 could allow an attacker to enumerate and download videos and pictures saved on the drone internal or external memory without requiring any kind of authentication.

Key dates

02Disclosure timeline

April 2, 2024 CVE published
February 13, 2025 Record updated