Lucene search

[email protected]NVD:CVE-2019-12254

HistoryMay 06, 2022 - 6:15 p.m.

CVE-2019-12254

2022-05-0618:15:08

CWE-287

[email protected]

web.nvd.nist.gov

access control

tecson tankspion

goks smartbox 4

unauthorized access

acl rules

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

58.1%

JSON

In multiple Tecson Tankspion and GOKs SmartBox 4 products the affected application doesn’t properly restrict access to an endpoint that is responsible for saving settings, to a unauthenticated user with limited access rights. Based on the lack of adequately implemented access-control rules, by accessing a specific uniform resource locator (URL) on the web server, a malicious user is able to change the application settings without authenticating at all, which violates originally laid ACL rules.

Affected configurations

Nvd

Node

goksmartbox_4_lanMatch-

AND

goksmartbox_4_lan_firmware

Node

goksmartbox_4_lan_proMatch-

AND

goksmartbox_4_lan_pro_firmware

Node

tecsonlx-q-netMatch-

AND

tecsonlx-q-net_firmware

Node

tecsonlx-netMatch-

AND

tecsonlx-net_firmware

Node

tecsone-litro_netMatch-

AND

tecsone-litro_net_firmware

VendorProductVersionCPE
goksmartbox_4_lan-cpe:2.3:h:gok:smartbox_4_lan:-:*:*:*:*:*:*:*
goksmartbox_4_lan_firmware*cpe:2.3:o:gok:smartbox_4_lan_firmware:*:*:*:*:*:*:*:*
goksmartbox_4_lan_pro-cpe:2.3:h:gok:smartbox_4_lan_pro:-:*:*:*:*:*:*:*
goksmartbox_4_lan_pro_firmware*cpe:2.3:o:gok:smartbox_4_lan_pro_firmware:*:*:*:*:*:*:*:*
tecsonlx-q-net-cpe:2.3:h:tecson:lx-q-net:-:*:*:*:*:*:*:*
tecsonlx-q-net_firmware*cpe:2.3:o:tecson:lx-q-net_firmware:*:*:*:*:*:*:*:*
tecsonlx-net-cpe:2.3:h:tecson:lx-net:-:*:*:*:*:*:*:*
tecsonlx-net_firmware*cpe:2.3:o:tecson:lx-net_firmware:*:*:*:*:*:*:*:*
tecsone-litro_net-cpe:2.3:h:tecson:e-litro_net:-:*:*:*:*:*:*:*
tecsone-litro_net_firmware*cpe:2.3:o:tecson:e-litro_net_firmware:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
gok	smartbox_4_lan	-	cpe:2.3:h:gok:smartbox_4_lan:-:::::::*
gok	smartbox_4_lan_firmware	*	cpe:2.3:o:gok:smartbox_4_lan_firmware::::::::
gok	smartbox_4_lan_pro	-	cpe:2.3:h:gok:smartbox_4_lan_pro:-:::::::*
gok	smartbox_4_lan_pro_firmware	*	cpe:2.3:o:gok:smartbox_4_lan_pro_firmware::::::::
tecson	lx-q-net	-	cpe:2.3:h:tecson:lx-q-net:-:::::::*
tecson	lx-q-net_firmware	*	cpe:2.3:o:tecson:lx-q-net_firmware::::::::
tecson	lx-net	-	cpe:2.3:h:tecson:lx-net:-:::::::*
tecson	lx-net_firmware	*	cpe:2.3:o:tecson:lx-net_firmware::::::::
tecson	e-litro_net	-	cpe:2.3:h:tecson:e-litro_net:-:::::::*
tecson	e-litro_net_firmware	*	cpe:2.3:o:tecson:e-litro_net_firmware::::::::

References

cert.vde.com/en/advisories/VDE-2019-012/

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

58.1%

JSON

Related for NVD:CVE-2019-12254

cvelist1 prion1 cve1