Privilege escalation

2020-01-2006:15:00

PRIOn knowledge base

www.prio-n.com

5.6 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

12.6%

JSON

An issue was discovered in Gallagher Command Centre 7.x before 7.90.991(MR5), 8.00 before 8.00.1161(MR5), and 8.10 before 8.10.1134(MR4). External system configuration data (used for third party integrations such as DVR systems) were logged in the Command Centre event trail. Any authenticated operator with the ‘view events’ privilege could see the full configuration, including cleartext usernames and passwords, under the event details of a Modified DVR System event.

CPENameOperatorVersion
command_centrege7.90
command_centrelt7.90.991
command_centrege8.10
command_centrelt8.10.1134
command_centrege8.00
command_centrelt8.00.1161
command_centreeq8.10.1134
command_centreeq8.00.1161
command_centreeq7.90.991
command_centrelt7.80

Name	Operator	Version
command_centre	ge	7.90
command_centre	lt	7.90.991
command_centre	ge	8.10
command_centre	lt	8.10.1134
command_centre	ge	8.00
command_centre	lt	8.00.1161
command_centre	eq	8.10.1134
command_centre	eq	8.00.1161
command_centre	eq	7.90.991
command_centre	lt	7.80

References

security.gallagher.com/cve-2020-7215