CVE-2023-7328 PUBLISHED

Screen SFT DAB 600/C firmware versions up to and including 1.9.3 contain an improper access control on the user management API allows unauthenticated requests to retrieve structured user data, including account names and connection metadata such as client IP and timeout values.

• Gjoko Krstic of Zero Science Lab finder

• https://www.exploit-db.com/exploits/51460
• https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
• https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php
• https://packetstormsecurity.com/files/172332/
• https://www.vulncheck.com/advisories/screen-sft-dab-600c-unauthenticated-information-disclosure

• CWE-306 Missing Authentication for Critical Function CWE

• CAPEC-36 Using Unpublished Interfaces or Functionality