{"api_version":"1","generated_at":"2026-06-07T09:35:22+00:00","cve":"CVE-2023-38255","urls":{"html":"https://cve.report/CVE-2023-38255","api":"https://cve.report/api/cve/CVE-2023-38255.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-38255","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-38255"},"summary":{"title":"CVE-2023-38255","description":"** UNSUPPPORTED WHEN ASSIGNED ** \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nA potential attacker with or without (cookie theft) access to the device would be able to include malicious code (XSS) when uploading new device configuration that could affect the intended function of the device.","state":"PUBLIC","assigner":"ics-cert@hq.dhs.gov","published_at":"2023-09-18 21:15:00","updated_at":"2023-11-07 04:17:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03","name":"https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03","refsource":"MISC","tags":[],"title":"Socomec MOD3GP-SY-120K | CISA","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-38255","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38255","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"38255","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"h","cpe4":"socomec","cpe5":"modulys_gp","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"38255","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"socomec","cpe5":"modulys_gp_firmware","cpe6":"01.12.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-38255","ASSIGNER":"ics-cert@hq.dhs.gov","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"** UNSUPPPORTED WHEN ASSIGNED ** \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nA potential attacker with or without (cookie theft) access to the device would be able to include malicious code (XSS) when uploading new device configuration that could affect the intended function of the device.\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-79 Cross-site Scripting","cweId":"CWE-79"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Socomec","product":{"product_data":[{"product_name":"MODULYS GP (MOD3GP-SY-120K)","version":{"version_data":[{"version_affected":"=","version_value":"v01.12.10"}]}}]}}]}},"references":{"reference_data":[{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03","refsource":"MISC","name":"https://www.cisa.gov/news-events/ics-advisories/icsa-23-250-03"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"advisory":"ICSA-23-250-03","discovery":"EXTERNAL"},"solution":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"\n\n<span style=\"background-color: rgb(255, 255, 255);\">Socomec reports that MODULYS GP (MOD3GP-SY-120K) is an End-of-Life product. Socomec recommends using MODULYS GP2 (M4-S-XXX) instead. MODULYS GP2 (M4-S-XXX) is not affected by the above vulnerabilities.</span>\n\n<br>"}],"value":"\nSocomec reports that MODULYS GP (MOD3GP-SY-120K) is an End-of-Life product. Socomec recommends using MODULYS GP2 (M4-S-XXX) instead. MODULYS GP2 (M4-S-XXX) is not affected by the above vulnerabilities.\n\n\n"}],"credits":[{"lang":"en","value":"Aarón Flecha Menéndez reported these vulnerabilities to CISA."}],"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.1"}]}},"nvd":{"publishedDate":"2023-09-18 21:15:00","lastModifiedDate":"2023-11-07 04:17:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.1,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.7}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:socomec:modulys_gp_firmware:01.12.10:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:h:socomec:modulys_gp:-:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":null,"notes":[]}}}