CVE-2023-1841 - Vulnerability Details - OpenCVE

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.This issue affects MPA2 Access Panel all version prior to R1.00.08.05. Honeywell released firmware update package MPA2 firmware R1.00.08.05 which addresses this vulnerability. This version and all later versions correct the reported vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Honeywell	Mpa2 Mpa2 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:honeywell:mpa2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:honeywell:mpa2:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://buildings.honeywell.com/us/en/brands/our-brands/security/support-and-resources/product-resources/eol-and-security-notices
https://https://www.honeywell.com/us/en/product-security

History

Tue, 04 Mar 2025 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Honeywell Honeywell mpa2 Honeywell mpa2 Firmware
CPEs		cpe:2.3:h:honeywell:mpa2:::::::: cpe:2.3:o:honeywell:mpa2_firmware::::::::
Vendors & Products		Honeywell Honeywell mpa2 Honeywell mpa2 Firmware

MITRE

Status: PUBLISHED

Assigner: Honeywell

Published: 2024-02-29T05:09:14.716Z

Updated: 2024-08-02T06:05:26.725Z

Reserved: 2023-04-04T19:05:19.824Z

Link: CVE-2023-1841

Vulnrichment

Updated: 2024-08-02T06:05:26.725Z

NVD

Status : Analyzed

Published: 2024-02-29T06:15:45.093

Modified: 2025-03-04T12:25:10.853

Link: CVE-2023-1841

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1841", "assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d", "state": "PUBLISHED", "assignerShortName": "Honeywell", "dateReserved": "2023-04-04T19:05:19.824Z", "datePublished": "2024-02-29T05:09:14.716Z", "dateUpdated": "2024-08-02T06:05:26.725Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["Web server"], "product": "MPA2 Access Panel", "vendor": "Honeywell", "versions": [{"lessThan": "R1.00.08.05", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Ken Pyle from CYBIR (kp@cybir.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.<p>This issue affects MPA2 Access Panel all version prior to R1.00.08.05. \n\nHoneywell released firmware update package MPA2 firmware R1.00.08.05 which addresses this vulnerability. This version and all later versions\ncorrect the reported vulnerability.\n\n</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.This issue affects MPA2 Access Panel all version prior to R1.00.08.05.\u00a0\n\nHoneywell released firmware update package MPA2 firmware\u00a0R1.00.08.05 which addresses\u00a0this vulnerability. This version and all later versions\ncorrect the reported vulnerability.\n\n"}], "impacts": [{"capecId": "CAPEC-247", "descriptions": [{"lang": "en", "value": "CAPEC-247 XSS Using Invalid Characters"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d", "shortName": "Honeywell", "dateUpdated": "2024-04-25T14:06:56.010Z"}, "references": [{"url": "https://buildings.honeywell.com/us/en/brands/our-brands/security/support-and-resources/product-resources/eol-and-security-notices"}, {"url": "https://https://www.honeywell.com/us/en/product-security"}], "source": {"discovery": "EXTERNAL"}, "title": "Honeywell MPA2 Web Application XSS vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "honeywell", "product": "mpa2_access_panel", "cpes": ["cpe:2.3:a:honeywell:mpa2_access_panel:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "R1.00.08.05", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-11T17:24:29.503996Z", "id": "CVE-2023-1841", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T17:35:27.560Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:05:26.725Z"}, "title": "CVE Program Container", "references": [{"url": "https://buildings.honeywell.com/us/en/brands/our-brands/security/support-and-resources/product-resources/eol-and-security-notices", "tags": ["x_transferred"]}, {"url": "https://https://www.honeywell.com/us/en/product-security", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://buildings.honeywell.com/us/en/brands/our-brands/security/support-and-resources/product-resources/eol-and-security-notices", "tags": ["x_transferred"]}, {"url": "https://https://www.honeywell.com/us/en/product-security", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:05:26.725Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-1841", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-03-11T17:24:29.503996Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:honeywell:mpa2_access_panel:*:*:*:*:*:*:*:*"], "vendor": "honeywell", "product": "mpa2_access_panel", "versions": [{"status": "affected", "version": "0", "lessThan": "R1.00.08.05", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-11T17:35:12.396Z"}}], "cna": {"title": "Honeywell MPA2 Web Application XSS vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Ken Pyle from CYBIR (kp@cybir.com)"}], "impacts": [{"capecId": "CAPEC-247", "descriptions": [{"lang": "en", "value": "CAPEC-247 XSS Using Invalid Characters"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Honeywell", "modules": ["Web server"], "product": "MPA2 Access Panel", "versions": [{"status": "affected", "version": "0", "lessThan": "R1.00.08.05", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://buildings.honeywell.com/us/en/brands/our-brands/security/support-and-resources/product-resources/eol-and-security-notices"}, {"url": "https://https://www.honeywell.com/us/en/product-security"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.This issue affects MPA2 Access Panel all version prior to R1.00.08.05.\u00a0\n\nHoneywell released firmware update package MPA2 firmware\u00a0R1.00.08.05 which addresses\u00a0this vulnerability. This version and all later versions\ncorrect the reported vulnerability.\n\n", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.<p>This issue affects MPA2 Access Panel all version prior to R1.00.08.05. \n\nHoneywell released firmware update package MPA2 firmware R1.00.08.05 which addresses this vulnerability. This version and all later versions\ncorrect the reported vulnerability.\n\n</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d", "shortName": "Honeywell", "dateUpdated": "2024-04-25T14:06:56.010Z"}}}, "cveMetadata": {"cveId": "CVE-2023-1841", "state": "PUBLISHED", "dateUpdated": "2024-08-02T06:05:26.725Z", "dateReserved": "2023-04-04T19:05:19.824Z", "assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d", "datePublished": "2024-02-29T05:09:14.716Z", "assignerShortName": "Honeywell"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:honeywell:mpa2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "CAF764CE-1B5E-4BB1-B431-61F506797CCA", "versionEndExcluding": "R1.00.08.05", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:honeywell:mpa2:*:*:*:*:*:*:*:*", "matchCriteriaId": "79B6F95D-6F2A-46FA-8A45-BF8737AA1DCA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Honeywell MPA2 Access Panel (Web server modules) allows XSS Using Invalid Characters.This issue affects MPA2 Access Panel all version prior to R1.00.08.05.\u00a0\n\nHoneywell released firmware update package MPA2 firmware\u00a0R1.00.08.05 which addresses\u00a0this vulnerability. This version and all later versions\ncorrect the reported vulnerability.\n\n"}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n inadecuada de la entrada durante la generaci\u00f3n de p\u00e1ginas web ('cross-site Scripting') en Honeywell MPA2 Access Panel (m\u00f3dulos de servidor web) permite que XSS utilice caracteres no v\u00e1lidos. Este problema afecta a MPA2 Access Panel en todas las versiones anteriores a R1.00.08.05. Honeywell lanz\u00f3 el paquete de actualizaci\u00f3n de firmware MPA2 R1.00.08.05 que soluciona esta vulnerabilidad. Esta versi\u00f3n y todas las versiones posteriores corrigen la vulnerabilidad informada."}], "id": "CVE-2023-1841", "lastModified": "2025-03-04T12:25:10.853", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "psirt@honeywell.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-29T06:15:45.093", "references": [{"source": "psirt@honeywell.com", "tags": ["Vendor Advisory"], "url": "https://buildings.honeywell.com/us/en/brands/our-brands/security/support-and-resources/product-resources/eol-and-security-notices"}, {"source": "psirt@honeywell.com", "tags": ["Vendor Advisory"], "url": "https://https://www.honeywell.com/us/en/product-security"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://buildings.honeywell.com/us/en/brands/our-brands/security/support-and-resources/product-resources/eol-and-security-notices"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://https://www.honeywell.com/us/en/product-security"}], "sourceIdentifier": "psirt@honeywell.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@honeywell.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Secondary"}]}