cve/2023/CVE-2023-37857.md

### [CVE-2023-37857](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37857)
![](https://img.shields.io/static/v1?label=Product&message=WP%206070-WVPS&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=WP%206101-WXPS&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=WP%206121-WXPS&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=WP%206156-WHPS&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=WP%206185-WHPS&color=blue)
![](https://img.shields.io/static/v1?label=Product&message=WP%206215-WHPS&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=0%3C%204.0.10%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-798%20Use%20of%20Hard-coded%20Credentials&color=brighgreen)

### Description

In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing the attacker to create valid session cookies.  These session-cookies created by the attacker are not sufficient to obtain a valid session on the device.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2023-37857](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37857)`
			`![](https://img.shields.io/static/v1?label=Product&message=WP%206070-WVPS&color=blue)`
			`![](https://img.shields.io/static/v1?label=Product&message=WP%206101-WXPS&color=blue)`
			`![](https://img.shields.io/static/v1?label=Product&message=WP%206121-WXPS&color=blue)`
			`![](https://img.shields.io/static/v1?label=Product&message=WP%206156-WHPS&color=blue)`
			`![](https://img.shields.io/static/v1?label=Product&message=WP%206185-WHPS&color=blue)`
			`![](https://img.shields.io/static/v1?label=Product&message=WP%206215-WHPS&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=0%3C%204.0.10%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-798%20Use%20of%20Hard-coded%20Credentials&color=brighgreen)`

			`### Description`

			`In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated, remote attacker with admin privileges is able to read hardcoded cryptographic keys allowing the attacker to create valid session cookies. These session-cookies created by the attacker are not sufficient to obtain a valid session on the device.`

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/fkie-cad/nvd-json-data-feeds`