CVE-2023-35794 Information

Description

An issue was discovered in Cassia Access Controller 2.1.1.2303271039. The Web SSH terminal endpoint (spawned console) can be accessed without authentication. Specifically there is no session cookie validation on the Access Controller; instead there is only Basic Authentication to the SSH console.

Reference

https://github.com/Dodge-MPTC/CVE-2023-35794-WebSSH-Hijacking https://www.cassianetworks.com/products/iot-access-controller/