Lucene search

[email protected]CVE-2019-17118

HistoryOct 17, 2019 - 6:15 p.m.

CVE-2019-17118

2019-10-1718:15:12

CWE-352

[email protected]

web.nvd.nist.gov

cve-2019-17118

csrf

wikid

2fa

enterprise server

security issue

remote attacker

unintended actions

nvd

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.6%

JSON

A CSRF issue in WiKID 2FA Enterprise Server through 4.2.0-b2053 allows a remote attacker to trick an authenticated user into performing unintended actions such as (1) create or delete admin users; (2) create or delete groups; or (3) create, delete, enable, or disable normal users or devices.

Affected configurations

NVD

Node

wikidsystems2fa_enterprise_serverMatch3.4.81b676

wikidsystems2fa_enterprise_serverMatch3.4.85b780

wikidsystems2fa_enterprise_serverMatch3.4.87b1092

wikidsystems2fa_enterprise_serverMatch3.4.87b1159

wikidsystems2fa_enterprise_serverMatch3.4.87b1169

wikidsystems2fa_enterprise_serverMatch3.4.87b1216

wikidsystems2fa_enterprise_serverMatch3.4.87b824

wikidsystems2fa_enterprise_serverMatch3.4.87b839

wikidsystems2fa_enterprise_serverMatch3.5.0b1342

wikidsystems2fa_enterprise_serverMatch3.5.0b1352

wikidsystems2fa_enterprise_serverMatch3.5.0b1359

wikidsystems2fa_enterprise_serverMatch3.5.0b1373

wikidsystems2fa_enterprise_serverMatch3.5.0b1403

wikidsystems2fa_enterprise_serverMatch3.5.0b1411

wikidsystems2fa_enterprise_serverMatch3.5.0b1421

wikidsystems2fa_enterprise_serverMatch3.5.0b1428

wikidsystems2fa_enterprise_serverMatch3.5.0b1438

wikidsystems2fa_enterprise_serverMatch3.5.0b1472

wikidsystems2fa_enterprise_serverMatch3.5.0b1542

wikidsystems2fa_enterprise_serverMatch3.5.0b1580

wikidsystems2fa_enterprise_serverMatch3.6.0b1659

wikidsystems2fa_enterprise_serverMatch3.6.0b1672

wikidsystems2fa_enterprise_serverMatch4.0b1787

wikidsystems2fa_enterprise_serverMatch4.0b1798

wikidsystems2fa_enterprise_serverMatch4.0b1803

wikidsystems2fa_enterprise_serverMatch4.0.1b1817

wikidsystems2fa_enterprise_serverMatch4.0.1b1821

wikidsystems2fa_enterprise_serverMatch4.0.1b1905

wikidsystems2fa_enterprise_serverMatch4.0.1b1906

wikidsystems2fa_enterprise_serverMatch4.0.2b1917

wikidsystems2fa_enterprise_serverMatch4.0.2b1921

wikidsystems2fa_enterprise_serverMatch4.1.0b1926

wikidsystems2fa_enterprise_serverMatch4.1.0b1941

wikidsystems2fa_enterprise_serverMatch4.1.0b1949

wikidsystems2fa_enterprise_serverMatch4.1.0b1955

wikidsystems2fa_enterprise_serverMatch4.2.0b1978

wikidsystems2fa_enterprise_serverMatch4.2.0b1981

wikidsystems2fa_enterprise_serverMatch4.2.0b1984

wikidsystems2fa_enterprise_serverMatch4.2.0b2007

wikidsystems2fa_enterprise_serverMatch4.2.0b2014

wikidsystems2fa_enterprise_serverMatch4.2.0b2016

wikidsystems2fa_enterprise_serverMatch4.2.0b2020

wikidsystems2fa_enterprise_serverMatch4.2.0b2023

wikidsystems2fa_enterprise_serverMatch4.2.0b2028

wikidsystems2fa_enterprise_serverMatch4.2.0b2032

wikidsystems2fa_enterprise_serverMatch4.2.0b2047

wikidsystems2fa_enterprise_serverMatch4.2.0b2053

CPENameOperatorVersion
wikidsystems:2fa_enterprise_serverwikidsystems 2fa enterprise servereq3.4.81
wikidsystems:2fa_enterprise_serverwikidsystems 2fa enterprise servereq3.4.85
wikidsystems:2fa_enterprise_serverwikidsystems 2fa enterprise servereq3.4.87
wikidsystems:2fa_enterprise_serverwikidsystems 2fa enterprise servereq3.5.0
wikidsystems:2fa_enterprise_serverwikidsystems 2fa enterprise servereq3.6.0
wikidsystems:2fa_enterprise_serverwikidsystems 2fa enterprise servereq4.0
wikidsystems:2fa_enterprise_serverwikidsystems 2fa enterprise servereq4.0.1
wikidsystems:2fa_enterprise_serverwikidsystems 2fa enterprise servereq4.0.2
wikidsystems:2fa_enterprise_serverwikidsystems 2fa enterprise servereq4.1.0
wikidsystems:2fa_enterprise_serverwikidsystems 2fa enterprise servereq4.2.0

CPE	Name	Operator	Version
wikidsystems:2fa_enterprise_server	wikidsystems 2fa enterprise server	eq	3.4.81
wikidsystems:2fa_enterprise_server	wikidsystems 2fa enterprise server	eq	3.4.85
wikidsystems:2fa_enterprise_server	wikidsystems 2fa enterprise server	eq	3.4.87
wikidsystems:2fa_enterprise_server	wikidsystems 2fa enterprise server	eq	3.5.0
wikidsystems:2fa_enterprise_server	wikidsystems 2fa enterprise server	eq	3.6.0
wikidsystems:2fa_enterprise_server	wikidsystems 2fa enterprise server	eq	4.0
wikidsystems:2fa_enterprise_server	wikidsystems 2fa enterprise server	eq	4.0.1
wikidsystems:2fa_enterprise_server	wikidsystems 2fa enterprise server	eq	4.0.2
wikidsystems:2fa_enterprise_server	wikidsystems 2fa enterprise server	eq	4.1.0
wikidsystems:2fa_enterprise_server	wikidsystems 2fa enterprise server	eq	4.2.0

References

packetstormsecurity.com/files/154912/WiKID-Systems-2FA-Enterprise-Server-4.2.0-b2032-SQL-Injection-XSS-CSRF.html

seclists.org/fulldisclosure/2019/Oct/35

www.securitymetrics.com/blog/

www.securitymetrics.com/blog/wikid-2fa-enterprise-server-csrf

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.6%

JSON

Related for CVE-2019-17118

nvd1 cvelist1 prion1 packetstorm1 zdt1