Lucene search

IcscertCVE-2015-6480

HistoryDec 21, 2015 - 11:59 a.m.

CVE-2015-6480

2015-12-2111:59:05

CWE-287

icscert

web.nvd.nist.gov

cve-2015-6480

messagebrokerservlet

moxa oncell central manager

authentication bypass

remote code execution

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

AI Score

Confidence

High

EPSS

0.216

Percentile

96.5%

JSON

The MessageBrokerServlet servlet in Moxa OnCell Central Manager before 2.2 does not require authentication, which allows remote attackers to obtain administrative access via a command, as demonstrated by the addUserAndGroup action.

Affected configurations

Nvd

Node

moxaoncell_central_managerRange≤2.0

VendorProductVersionCPE
moxaoncell_central_manager*cpe:2.3:a:moxa:oncell_central_manager:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
moxa	oncell_central_manager	*	cpe:2.3:a:moxa:oncell_central_manager::::::::

References

zerodayinitiative.com/advisories/ZDI-15-452/

ics-cert.us-cert.gov/advisories/ICSA-15-328-01

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

AI Score

Confidence

High

EPSS

0.216

Percentile

96.5%

JSON

Related for CVE-2015-6480