Vulners
Lucene search
Loytec LGATE-902 XSS / Traversal / File Deletion Vulnerabilities
| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
 | CVE-2018-14916 | 28 Jun 201922:29 | – | circl |
| CVE-2018-14918 | 28 Jun 201922:29 | – | circl |
| CVE-2018-14919 | 28 Jun 201920:34 | – | circl |
 | CVE-2018-14916 | 28 Jun 201917:19 | – | cve |
| CVE-2018-14918 | 28 Jun 201917:01 | – | cve |
| CVE-2018-14919 | 28 Jun 201916:39 | – | cve |
 | CVE-2018-14916 | 28 Jun 201917:19 | – | cvelist |
| CVE-2018-14918 | 28 Jun 201917:01 | – | cvelist |
| CVE-2018-14919 | 28 Jun 201916:39 | – | cvelist |
 | EUVD-2018-6801 | 7 Oct 202500:30 | – | euvd |
10
Loytec LGATE-902 XSS / Traversal / File Deletion Vulnerabilities
INFORMATION
Product: Loytec LGATE-902 (https://www.loytec.com/)
Affected versions: < 6.4.2 (tested on version 6.3.2)
CVE IDs: CVE-2018-14919 (Stored and reflected XSS), CVE-2018-14918 (Path
traversal), and CVE-2018-14916 (Arbitrary file deletion).
Remote-exploit: yes
TIMELINE
Vendor notification: 26th July, 2018
Vendor acknowledgment: 1st August, 2018
Patch available: 13th November, 2018
Public disclosure: 7th April, 2019
INTRODUCTION
The LGATE-902 Gateway is a powerful gateway that can host user specific
graphical pages. The gateways provide connectivity functions to concurrently
integrate CEA-709 (LonMark Systems), BACnet, KNX, Modbus, and M-Bus. Local
operation and override is provided by the built-in jog dial and the backlit
display (128x64 pixels). Device and data point information is provided by the
Web interface and shown on the display via symbols and in text format.
(Description from: https://www.loytec.com/products/gateways/2259-lgate-902)
The three vulnerabilities described below affect the web application that runs
in the gateways and that is used to manage them.
VULNERABILITIES DESCRIPTION
The XSS vulnerability (CVE-2018-14919) allows an attacker to inject malicious
scripts into the trusted web interface running on a vulnerable device. The
scripts may be executed by the browser of an unsuspecting device administrator
to access session tokens or other sensitive information, as well as to perform
malicious actions on behalf of the user (e.g., internal network discovery and
traffic tunneling using BeEF).
Reflected XSS PoC (show alert dialog):
http://<device_address>/webui/data/alarm_log_obj?handle=1000%27-alert(1)-%27&page=0
Stored XSS PoC (show alert dialog):
POST http://<device_address>/webui/config/doc/action save=1&update=1&data=[["test","</script><script>alert(1);</script>",2]]
The path traversal (CVE-2018-14918) and file deletion (CVE-2018-14916)
vulnerabilities allow an attacker to manipulate path references and access or
delete files and directories (including critical system files) that are stored
outside the root folder of the web application running on the device. This can
be used to read or delete system and configuration files containing, e.g.,
usernames and passwords.
Path traversal PoC (read /etc/passwd):
http://<device_address>/webui/file_guest?path=/var/www/documentation/../../../../../etc/passwd&flags=1152
File deletion PoC (delete ../test.txt):
POST http://<device_address>/webui/config/doc/action
delete=1&update=1&name=../test.txt
SOLUTION
Update to version 6.4.2
# 0day.today [2019-04-10] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Apr 2019 00:00Current
EPSS0.67624